Open Forms is a platform enabling users to create and publish smart forms, including workflows requiring cosignatures. Prior to versions 3.3.13 and 3.4.5, the cosign process involved sending the cosigner an email containing instructions or a deep-link with a submission reference code. This code is used to retrieve the specific submission for cosigning. The vulnerability (CWE-284: Improper Access Control) arises because attackers who have authenticated access via identity providers like DigiD or eHerkenning can guess or alter the submission reference code to access arbitrary submissions belonging to other users. This bypasses intended access restrictions, exposing confidential submission data. The vulnerability does not affect integrity or availability but compromises confidentiality. Exploitation requires low attack complexity (guessing or modifying codes) and privileges (authenticated user), but no user interaction beyond login. The vulnerability was assigned CVE-2026-28803 with a CVSS 3.1 score of 6.5, reflecting medium severity. The issue was addressed by fixing access control checks in versions 3.3.13 and 3.4.5, ensuring submission references cannot be arbitrarily guessed or manipulated to access unauthorized data.

The primary impact of this vulnerability is unauthorized disclosure of sensitive form submission data, which can include personal, financial, or confidential information depending on the form's purpose. Organizations using vulnerable versions risk data breaches that could lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential legal consequences. Since the vulnerability requires authentication via identity providers commonly used in the Netherlands (DigiD, eHerkenning), the risk is particularly relevant for government agencies, healthcare providers, and businesses operating in or serving Dutch users. Although the vulnerability does not allow modification or deletion of data, the exposure of confidential submissions can undermine trust in the platform and lead to secondary attacks such as social engineering or identity theft. The medium severity score reflects the balance between the need for authentication and the significant confidentiality impact.

Organizations should immediately upgrade open-forms installations to version 3.3.13 or 3.4.5 or later to apply the official fix. Until upgraded, administrators should restrict access to the cosign functionality to the minimum necessary user groups and monitor logs for suspicious access patterns involving submission reference codes. Implement additional logging and alerting on cosign submission retrieval attempts to detect anomalous behavior. Review and tighten access control policies around submission references and cosign workflows. If possible, temporarily disable cosign features or require multi-factor authentication for cosigners to reduce risk. Educate users about phishing risks related to cosign emails and instruct them to report unexpected or suspicious cosign requests. Conduct regular security assessments and penetration tests focusing on access control mechanisms in form workflows. Finally, maintain an inventory of affected versions across the organization to prioritize patching efforts.