Formbricks JWT Bypass

CRITICAL (9.4)
cwe-287cwe-345cwe-347formbricksjwt-bypassqualtrics-alternativevulnerabilityweb-app

Threat Intelligence

Low Risk
EPSS Score: 0.01% chance of exploitation (percentile: 1%)
🔍 Detection Tools: None available in major open-source tools
⚔️ Exploit Availability: No public exploits found

How we test →

What is it?

Formbricks is an open-source Qualtrics alternative. It's a web application that provides features similar to Qualtrics, but with some differences in its implementation. This vulnerability stems from a token validation routine that only decodes JWTs without verifying their signatures. The lack of signature verification allows attackers to craft arbitrary JWTs and exploit the system.

Am I affected?

You're affected if you use Formbricks. Affected versions: 4.0.1 If you don't recognise this software, you're probably not affected.

How to fix

  1. Upgrade to Formbricks version 4.0.1 or later from the official GitHub repository: https://github.com/formbricks/formbricks/releases/tag/v4.0.1
  2. Immediate mitigations:
  3. Restrict network access to your Formbricks instance (firewall it from the public internet)
  4. Audit admin account activity for suspicious access patterns
  5. Monitor for unauthorized token creation

References