CVE-2026-13543 Documenso CVE debrief

Who should care

Organizations using Documenso up to version 2.11.0 should be aware of this vulnerability in the Google OAuth Login functionality. Given the low CVSS score of 2.9, the vulnerability is considered low severity, but defenders should still assess their exposure and consider applying the fix when available.

Technical summary

The vulnerability CVE-2026-13543 is located in the Google OAuth Login component of Documenso, specifically in the file packages/auth/server/lib/utils/handle-oauth-callback-url.ts. The vulnerability leads to improper authentication and has a CVSS score of 2.9, indicating low severity. The attack vector is characterized by high complexity, making exploitation difficult. However, the exploit is now public, increasing the urgency for defenders to assess their exposure and prepare for a fix.

Defensive priority

Defenders should prioritize reviewing their Documenso installations to determine if they are affected by CVE-2026-13543. Given the low severity but public exploit availability, defenders should prepare to apply the fix when it becomes available.

Recommended defensive actions

• Review Documenso installations to determine if they are affected by CVE-2026-13543.
• Monitor for the availability of the fix and plan for its deployment.
• Consider compensating controls to mitigate the risk of exploitation.
• Inventory and track Documenso versions to ensure timely application of the fix.
• Monitor for potential exploitation attempts.
• Update incident response plans to include this vulnerability.

Evidence notes

The vulnerability information is based on the CVE and NVD records, as well as references provided by Vuldb. The CVE record and NVD detail provide official information about the vulnerability, while Vuldb offers additional context and references.

Official resources