Description
Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch.
Published: 2026-03-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data access
Action: Patch upgrade
AI Analysis

Impact

Kiteworks Core versions 9.2.0 and 9.2.1 contain an access control flaw that permits authenticated users to view data they do not own. This improper ownership management can lead to the disclosure of confidential information. The vulnerability is categorized as CWE-282 and carries a CVSS score of 8.8, indicating high severity.

Affected Systems

The affected product is Accellion Kiteworks Core, specifically versions 9.2.0 and 9.2.1. These are versions of the private data network software. Users running these releases are susceptible to the flaw until a patch is applied.

Risk and Exploitability

The CVSS score of 8.8 reflects a high risk, while the EPSS of less than 1 % suggests limited exploitation in the wild. The vulnerability requires authentication, meaning users with valid credentials could abuse the flaw. It is not currently listed in the CISA KEV catalog. Because the exploit path is purely internal and limited to legitimate accounts, the likelihood of attack is moderate, but the potential for sensitive data exposure warrants prompt remediation.

Generated by OpenCVE AI on March 27, 2026 at 20:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks Core to version 9.2.2 or later.
  • Verify that the new version includes the proper ownership controls.
  • Monitor for any further advisories from Kiteworks or Accellion.

Generated by OpenCVE AI on March 27, 2026 at 20:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Accellion
Accellion kiteworks
CPEs cpe:2.3:a:accellion:kiteworks:9.2.0:*:*:*:*:*:*:*
cpe:2.3:a:accellion:kiteworks:9.2.1:*:*:*:*:*:*:*
Vendors & Products Accellion
Accellion kiteworks

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks core
Vendors & Products Kiteworks
Kiteworks core

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch.
Title Kiteworks Core before 9.2.2 is vulnerable to Improper Ownership Management
Weaknesses CWE-282
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Accellion Kiteworks
Kiteworks Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:45:43.015Z

Reserved: 2026-01-13T18:22:43.979Z

Link: CVE-2026-23514

cve-icon Vulnrichment

Updated: 2026-03-25T14:45:31.918Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T15:16:37.967

Modified: 2026-03-27T18:52:37.110

Link: CVE-2026-23514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:27Z

Weaknesses