A high-severity vulnerability in the Formie Craft CMS plugin allows unauthenticated attackers to silently overwrite existing form submissions by manipulating submission IDs; no login required.
Security researchers have disclosed a dangerous authorization bypass flaw in verbb/Formie, one of the most widely deployed form-builder plugins for Craft CMS.
Tracked as CVE-2026-47266 and published via GitHub Advisory GHSA-pgxq-p76c-x9cg, the vulnerability enables any unauthenticated user to modify other users’ form submissions by exploiting a missing authorization check on the front-end submission endpoint. Security engineer Florian from Arcade Solutions AG (security@arcade.ch) is credited with responsibly disclosing the flaw.
Formie is a feature-rich Craft CMS plugin used by thousands of web developers to build, manage, and process front-end forms, including contact forms, surveys, job applications, and e-commerce inquiry forms.
Its deep integration into Craft CMS workflows means the impact of any security flaw extends well beyond a simple plugin update; it directly threatens data integrity across entire websites.
This vulnerability is particularly alarming because it requires zero authentication. Any anonymous visitor who knows or can infer a valid submission ID can silently modify data already stored in the system. This type of attack can go completely undetected without robust server-side logging.
At its core, the flaw falls under CWE-639, Authorization Bypass Through User-Controlled Key, a well-documented OWASP-aligned weakness in which a system’s access control logic fails to verify that a user is authorized to access or modify the resource identified by a user-supplied key.
In Formie’s case, the vulnerable endpoint is:
formie/submissions/save-submissionWhen Formie’s front-end submission editing feature is enabled, this endpoint accepts a submission ID as a user-controlled parameter. The plugin failed to verify whether the requesting party owned the submission associated with that ID or was authorized to modify it. This means an attacker could:
- Submit a legitimate form to obtain a valid submission ID format
- Enumerate or guess sequential/predictable submission IDs
- POST a modified payload to
actions/formie/submissions/save-submissionwith a targeted ID - Overwrite the victim’s submission with arbitrary data silently and without authentication.
This class of vulnerability is also commonly referred to as an Insecure Direct Object Reference (IDOR) attack. Real-world consequences include falsifying job application data, corrupting survey responses, manipulating e-commerce inquiry records, or injecting malicious content into stored submission data that could later be rendered on admin dashboards.
Notably, this is the second major vulnerability disclosed for Formie in recent weeks. Just weeks prior, CVE-2026-45697, a critical pre-authenticated Server-Side Template Injection (SSTI) flaw, was disclosed, allowing unauthenticated attackers to execute Twig template code via hidden fields.
This back-to-back disclosure pattern indicates that the plugin’s front-end submission-handling code requires a comprehensive security audit.
Affected Versions
The vulnerability affects all Formie installations running versions before the patched releases. Site administrators should immediately verify their installed version:
| Branch | Vulnerable Versions | Patched Version |
|---|---|---|
| v2.x | < 2.2.21 | 2.2.21 |
| v3.x | < 3.1.26 | 3.1.26 |
CVSSv3 Severity: High The exploit requires no privileges and no user interaction, making it easily weaponizable at scale across any publicly accessible Craft CMS site with front-end form editing enabled.
Mitigation
For teams unable to apply the patch immediately, the following workarounds reduce attack surface exposure:
- Block unauthenticated access to the
actions/formie/submissions/save-submissionroute at the web server or WAF level - Disable front-end submission editing in Formie’s plugin settings until the patch is applied
- Implement rate limiting on all form-related endpoints to slow enumeration attempts
- Audit submission logs for unusual patterns, specifically repeated save-submission requests from unauthenticated IPs
- Upgrade immediately to Formie 2.2.21 or 3.1.26 via Composer:
composer update verbb/formie
CWE-639 vulnerabilities continue to rank among the most exploited weaknesses in web application ecosystems. Recent months have seen similar authorization bypass flaws.
Affect other popular form plugins, including a critical unauthenticated file upload vulnerability in the Ninja Forms File Uploads add-on (CVE-2026-0740, CVSS 9.8) that allowed full server takeover, and a CWE-639 IDOR flaw in TypeBot’s chatbot engine that exposed user PII, including names, emails, and phone numbers.
These cases collectively illustrate a systemic gap in how open-source form plugins implement access control on public-facing submission endpoints.
Developers building on Craft CMS or any PHP-based CMS should treat every user-controlled identifier as untrusted, enforce server-side object-level authorization (BOLA/IDOR checks) on every data-mutating endpoint, and run composer audit regularly to detect newly disclosed CVEs in their dependency tree.
FAQ
Q1: Do I need to be logged in to exploit CVE-2026-47266?
No, this is an unauthenticated vulnerability requiring only a known or guessed submission ID to overwrite any existing form submission.
Q2: Does this affect all Craft CMS sites using Formie?
Only sites with front-end submission editing enabled are actively exploitable; however, all unpatched versions should be upgraded immediately regardless of configuration.
Q3: What is CWE-639, and how is it different from a standard IDOR?
CWE-639 is MITRE’s classification for authorization bypasses in which the system uses a user-controlled key (like a submission ID) to access records without validating the requester’s ownership. It is the formal categorization that encompasses IDOR attacks.
Q4: Is there evidence of active exploitation of CVE-2026-47266 in the wild?
No confirmed in-the-wild exploitation has been reported as of May 30, 2026. Still, the low attack complexity and zero-authentication requirement make it a high-priority patching target before active abuse begins.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
