CVE-2026-24753 - Vulnerability Details

- Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key

Description

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

Published: 2026-06-01

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Kiteworks Secure Data Forms contains an insecure direct object reference that allows an authenticated user to modify resources owned by other users because the system performs insufficient authorization checks on resource ownership. This flaw provides an attacker with a privilege escalation path, enabling unauthorized data tampering and potentially exposing confidential information. The weakness is classified as CWE‑639, representing an authorization bypass through user‑controlled data.

Affected Systems

The affected product is Kiteworks Secure Data Forms. Versions prior to 9.3.0 are vulnerable; upgrading to version 9.3.0 or later remedies the issue.

Risk and Exploitability

The CVSS score of 6.5 categorizes the issue as medium severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that a widespread exploitation campaign has not been observed. Nonetheless, exploitation requires only an authenticated Kiteworks user, meaning any legitimate user, whether compromised or not, could potentially modify another user's data. Attackers would target the web interface or API endpoints that expose the underlying resource identifiers, substituting them to access or alter data belonging to other users.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kiteworks

Secure Data Forms

affected

Version	Status	Constraints
`< 9.3.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kiteworks

Secure Data Forms

100%

Version	Status	Scheme	Platform
`[0,9.3.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kiteworks to version 9.3.0 or later, which contains the official fix for the authorization bypass.
Ensure that every request to view, edit, or delete a data form validates that the authenticated user is the true owner of the target resource; implement explicit ownership checks before performing any operation.
If an immediate upgrade is not feasible, restrict access to the Secure Data Forms UI/API to users with explicit permissions, and monitor system logs for attempts to modify resources belonging to other users.

Generated by OpenCVE AI on June 1, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00026.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/kiteworks/security-advisories/security/advisories/GHSA-qmv7-28g4-hx9x

History

Wed, 03 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Accellion Accellion kiteworks
CPEs		cpe:2.3:a:accellion:kiteworks::::::::
Vendors & Products		Accellion Accellion kiteworks

Tue, 02 Jun 2026 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 02 Jun 2026 00:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kiteworks Kiteworks secure Data Forms
Vendors & Products		Kiteworks Kiteworks secure Data Forms

Mon, 01 Jun 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title		Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key
Weaknesses		CWE-639
References		https://github.com/kiteworks/security-advisories/security/advisories/GHSA-qmv7-28g4-hx9x
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Accellion Kiteworks

Kiteworks Secure Data Forms

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-01T21:45:59.292Z

Updated: 2026-06-02T12:29:53.036Z

Reserved: 2026-01-26T19:06:16.060Z

Link: CVE-2026-24753

Vulnrichment

Updated: 2026-06-02T12:29:47.459Z

NVD

Status : Analyzed

Published: 2026-06-01T23:16:20.390

Modified: 2026-06-03T15:28:43.170

Link: CVE-2026-24753

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-02T00:00:13Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object