Description
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Published: 2026-06-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that lets an authenticated attacker modify approval flow configurations of forms owned by other users. By tampering with these settings an attacker can alter the approval process, potentially bypassing required approvals or escalating privileges. This raises integrity and potentially confidentiality if approvals control access to sensitive data, and is classified as CWE‑639.

Affected Systems

The affected component is Kiteworks Secure Data Forms. Versions before 9.3.0 are vulnerable. The product is part of the Kiteworks private data network solution, and any instance running a pre‑9.3.0 build of Secure Data Forms faces this issue.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available, and the vulnerability is not listed in CISA's KEV catalog. The exploit would require an authenticated user, suggesting the attack vector is an authenticated session. Once authenticated, the attacker can change configuration of other users' forms. Although the overall risk is moderate, organizations should address it promptly since the attacker can manipulate approval workflows that may control access to confidential data.

Generated by OpenCVE AI on June 1, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks to version 9.3.0 or later to apply the vendor patch.
  • Restrict edit permissions on form approval configurations to owners or administrators and review access control lists.
  • Monitor configuration change logs for suspicious activity and audit changes to approval workflows.

Generated by OpenCVE AI on June 1, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Mon, 01 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Subscriptions

Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:04:22.955Z

Reserved: 2026-01-14T16:08:37.483Z

Link: CVE-2026-23638

cve-icon Vulnrichment

Updated: 2026-06-01T19:01:40.007Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T19:16:22.140

Modified: 2026-06-02T13:55:46.237

Link: CVE-2026-23638

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T21:30:26Z

Weaknesses