Formie Unauthenticated Submission Editing Vulnerability (CVE-2026-47266)

A vulnerability exists in the Formie plugin that allows unauthenticated users to modify existing form submissions. By sending a crafted POST request to the formie/submissions/save-submission endpoint with a known or guessed submission ID, an attacker can overwrite existing submission data. This issue affects Formie versions prior to 2.2.21 and versions 3.0.0 through 3.1.26. Successful exploitation of this vulnerability could lead to data manipulation, unauthorized access to sensitive information, or other malicious activities. This vulnerability is identified as CVE-2026-47266.

Attack Chain

1. An unauthenticated attacker identifies a target Formie installation.
2. The attacker enumerates or guesses existing submission IDs.
3. The attacker crafts a malicious POST request to formie/submissions/save-submission.
4. The POST request includes the targeted submission ID.
5. The POST request contains modified form field data intended to overwrite the original submission.
6. The Formie plugin processes the request without proper authentication checks.
7. The targeted submission is updated with the attacker’s modified data.
8. The attacker verifies the submission has been successfully overwritten.

Impact

Successful exploitation of CVE-2026-47266 allows unauthenticated users to modify existing Formie submissions. This could lead to data corruption, exposure of sensitive information contained within the forms, or manipulation of business processes that rely on the integrity of the submitted data. The number of affected installations is currently unknown, but any Formie instance running a vulnerable version is susceptible to this attack.

Recommendation

• Upgrade Formie to version 2.2.21 or 3.1.26 or later to patch CVE-2026-47266, as per the vendor’s advisory.
• As a workaround, block unauthenticated access to the actions/formie/submissions/save-submission endpoint, as described in the vendor’s advisory.
• Deploy the Sigma rule provided below to detect attempts to exploit this vulnerability by monitoring POST requests to the formie/submissions/save-submission endpoint.