CVE-2026-28803

Name of the Vulnerable Software and Affected Versions Open Forms versions prior to 3.3.13 Open Forms versions prior to 3.4.5

Description Open Forms allows users to create and publish smart forms. Prior to versions 3.3.13 and 3.4.5, a cosigner receives an email with instructions or a deep-link to start the cosigning process. The submission reference is communicated, allowing the user to retrieve the submission for cosigning. An attacker can guess or modify the received code to access arbitrary submissions after logging in with DigiD/eHerkenning, or similar authentication methods, depending on the form configuration. The issue involves the potential to access submissions not intended for the cosigner.

Recommendations Update Open Forms to version 3.3.13 or later. Update Open Forms to version 3.4.5 or later.