Description
Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, the manager of a form could potentially exploit an Unrestricted Upload of File with Dangerous Type due to a missing validation. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
Published: 2026-03-25
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution via Unrestricted File Upload
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a missing validation that allows a form manager to upload files of any type, including dangerous executables, to Kiteworks Secure Data Forms. Because the upload control accepts any MIME type or file extension, an attacker could place a malicious script or binary as part of a form's resources. This increases the risk that the uploaded content could be executed by the system or used by subsequent users, leading to compromise of confidentiality, integrity, or availability. The weakness is identified as CWE-434, an unrestricted upload of files with dangerous types.

Affected Systems

Kiteworks Secure Data Forms from Accellion is affected. Any deployment of the product that is running a version earlier than 9.2.1 is susceptible, including versions 9.0.x, 9.1.x, and other earlier releases. The advisory specifically applies to form managers who can configure forms within the application.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication as a form manager and depends on the ability to upload a file that the system later processes or executes. Because the attack vector is restricted to users with management rights, the attack surface is limited, but if compromised credentials are involved, the risk of code execution or data exfiltration is significant.

Generated by OpenCVE AI on March 27, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks to version 9.2.1 or later

Generated by OpenCVE AI on March 27, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Accellion
Accellion kiteworks
CPEs cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*
Vendors & Products Accellion
Accellion kiteworks

Fri, 27 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, the manager of a form could potentially exploit an Unrestricted Upload of File with Dangerous Type due to a missing validation. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
Title Kiteworks Secure Data Forms is vulnerable to an Unrestricted Upload of File with Dangerous Type
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

Accellion Kiteworks
Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T14:56:49.566Z

Reserved: 2026-01-14T16:08:37.483Z

Link: CVE-2026-23636

cve-icon Vulnrichment

Updated: 2026-03-27T14:56:45.803Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T17:16:35.660

Modified: 2026-03-27T19:13:44.067

Link: CVE-2026-23636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-29T20:28:20Z

Weaknesses