{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23514", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.979Z", "datePublished": "2026-03-25T14:19:01.421Z", "dateUpdated": "2026-03-25T14:45:43.015Z"}, "containers": {"cna": {"title": "Kiteworks Core before 9.2.2 is vulnerable to Improper Ownership Management", "problemTypes": [{"descriptions": [{"cweId": "CWE-282", "lang": "en", "description": "CWE-282: Improper Ownership Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5"}], "affected": [{"vendor": "kiteworks", "product": "core", "versions": [{"version": ">= 9.2.0, < 9.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T14:19:01.421Z"}, "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch."}], "source": {"advisory": "GHSA-5gqr-cpr6-wvm5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:45:07.568054Z", "id": "CVE-2026-23514", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:45:43.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23514", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:45:07.568054Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:45:31.918Z"}}], "cna": {"title": "Kiteworks Core before 9.2.2 is vulnerable to Improper Ownership Management", "source": {"advisory": "GHSA-5gqr-cpr6-wvm5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kiteworks", "product": "core", "versions": [{"status": "affected", "version": ">= 9.2.0, < 9.2.2"}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5", "name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-282", "description": "CWE-282: Improper Ownership Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T14:19:01.421Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23514", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:45:43.015Z", "dateReserved": "2026-01-13T18:22:43.979Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T14:19:01.421Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch."}], "id": "CVE-2026-23514", "lastModified": "2026-03-25T15:41:33.977", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T15:16:37.967", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-282"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.2.0,9.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "core", "source": "cna", "vendor": "kiteworks"}, "product": "core", "vendor": "kiteworks"}], "analysis": {"en": {"generated_at": "2026-03-25T15:50:43.366742+00:00", "value": {"mitigation_remediation": ["Upgrade Kiteworks Core to version 9.2.2 or later to remediate the vulnerability"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized content access via improper ownership checks"}, "threat_synthesis": {"affected_systems": "Kiteworks Core versions 9.2.0 and 9.2.1 are affected. The flaw does not exist in version 9.2.2 or later.", "description_and_impact": "The vulnerability arises from insufficient enforcement of ownership controls within Kiteworks Core. Authenticated users can read or otherwise access data they should not be able to, which may expose confidential information. This represents a breach of access\u2011control integrity boundaries, documented as CWE\u2011282.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high\u2011severity issue. EPSS information is unavailable, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting limited exploitation to date. The attack requires an authenticated user or compromised credentials to exploit the improper ownership checks."}}}}, "created": "2026-03-25T21:31:08.616214+00:00", "updated": "2026-03-26T11:43:05.610310+00:00", "vendors": ["kiteworks", "kiteworks$PRODUCT$core"]}