Description
Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unprotected Transport of Credentials
Action: Patch
AI Analysis

Impact

A misconfiguration of security attributes in Kiteworks Secure Data Forms may allow credentials to be transmitted without encryption. This flaw, classified as CWE-523, could expose sensitive authentication data to interception, compromising confidentiality for users who rely on the platform for secure data handling.

Affected Systems

The vulnerability affects Kiteworks Secure Data Forms versions earlier than 9.2.1. Administrators managing installations of the product before the identified patch should verify whether the configuration settings may permit unencrypted credential traffic.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate risk, and the EPSS score of less than 1% suggests a low probability of active exploitation. It is not listed in the CISA KEV catalog. Exploitation requires that the security attributes be improperly set; once that condition exists an attacker can capture credentials in transit on the network.

Generated by OpenCVE AI on March 27, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks Secure Data Forms to version 9.2.1 or later.
  • Reconfigure security attributes to enforce encrypted transport of credentials.
  • If upgrade is delayed, monitor network traffic for plaintext credential transmissions and isolate affected systems from untrusted networks.

Generated by OpenCVE AI on March 27, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Accellion
Accellion kiteworks
CPEs cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*
Vendors & Products Accellion
Accellion kiteworks

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Wed, 25 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
Title Kiteworks Secure Data Forms has a potential Unprotected Transport of Credentials
Weaknesses CWE-523
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Accellion Kiteworks
Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T18:06:51.357Z

Reserved: 2026-01-14T16:08:37.483Z

Link: CVE-2026-23635

cve-icon Vulnrichment

Updated: 2026-03-25T17:52:35.550Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:35.480

Modified: 2026-03-27T19:16:29.210

Link: CVE-2026-23635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:21Z

Weaknesses