CVE-2026-1239 HIGH

CVE-2026-1239: Ninja Forms <= 3.14.1 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via token/refresh REST Endpoint

Vendor Kstover
Product Ninja Forms – The Contact Form Builder That Grows With You
Weakness CWE-862 · Missing authorization
Published July 1, 2026
Last update July 1, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to unauthorized access of data due to a missing authorization check on the 'ninja-forms-views/token/refresh' REST callback in all versions up to, and including, 3.14.1. This makes it possible for unauthenticated attackers to view form submissions, which could potentially contain sensitive information.

Key dates

02Disclosure timeline

July 1, 2026 CVE published
July 1, 2026 Record updated

Related vulnerabilities

04Related CVE