A critical authentication bypass vulnerability has been identified in multiple Formbricks products. This flaw allows an unauthenticated attacker to forge access tokens (JWTs) and impersonate any user, including administrators, because the system fails to verify the token's digital signature. Successful exploitation could lead to a complete compromise of the application, including unauthorized access to sensitive survey data, account takeovers, and administrative control.

The vulnerability exists within the JSON Web Token (JWT) validation process. The application's token validation routine decodes the JWT to read its contents (the claims) but fails to perform the critical step of verifying the token's cryptographic signature. An attacker can therefore craft a JWT with arbitrary claims, such as granting themselves administrative privileges, and sign it with their own key or even no key at all (alg: "none"). The vulnerable application will accept this forged token as valid, granting the attacker unauthorized access and control equivalent to the user they are impersonating.

This vulnerability is rated as critical severity with a CVSS score of 9.4, posing a significant and immediate threat to the organization. Exploitation allows an attacker to bypass all authentication controls, leading to a complete compromise of the Formbricks instance. Potential consequences include the theft and exposure of sensitive customer or employee data collected through surveys, manipulation of survey results, unauthorized modification of system configurations, and complete account takeover of any user, including administrators. This could result in severe reputational damage, regulatory fines for data breaches, and a total loss of confidentiality, integrity, and availability for the affected application.

Immediate Action: Immediately upgrade all vulnerable Formbricks instances to version 4.0.1 or later. This version contains the necessary patch to correctly implement JWT signature verification. After patching, it is crucial to review all access and audit logs for signs of suspicious activity or potential compromise that may have occurred before the update.

Proactive Monitoring: Security teams should actively monitor application logs for anomalous authentication patterns, such as multiple failed login attempts followed by a success from an unfamiliar IP address, or sudden privilege escalation events for user accounts. Implement alerts for any JWTs that use the alg: "none" header. Network traffic should be monitored for unusual requests to sensitive API endpoints.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to inspect and validate the headers and signatures of incoming JWTs. Restrict network access to the application to only trusted IP ranges to reduce the attack surface. Enforce strict access control policies at the network layer to limit the potential impact of a compromise.

Public Exploit Available: true

Given the critical CVSS score of 9.4 and the ease of exploitation, this vulnerability requires immediate and urgent attention. We strongly recommend that all affected Formbricks products are patched to version 4.0.1 or a later version without delay. Due to the risk of pre-patch compromise, organizations must conduct a thorough investigation of access logs to identify any unauthorized access or account activity. Treat this vulnerability with the highest priority, as it represents a direct path for an attacker to achieve full system compromise.