Description
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Published: 2026-06-01
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Insecure Direct Object Reference flaw exists in Kiteworks Secure Data Forms that allows an authenticated user to change the permissions of data resources owned by others. The weakness, identified as CWE-639, permits the modification of access controls without adequate ownership checks, potentially enabling covert data sharing or loss of confidentiality. The vulnerability does not expose remote code execution or data exfiltration directly, but it does compromise the integrity and confidentiality of protected files within the private data network.

Affected Systems

Kiteworks Secure Data Forms versions prior to 9.3.0 are affected. The flaw is present in all releases of the product before the 9.3.0 update, regardless of the deployment environment or user role, as long as the user is authenticated. No specific hardware or operating system is required for exploitation.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. At the time of this assessment no EPSS data is available, and the issue is not listed in the CISA KEV catalog, implying that it is not known to be actively exploited in the wild. The attack vector is inferred to be Authenticated. An attacker who has legitimate credentials can target any owned resource and alter its permissions, subject to network access to the Kiteworks instance.

Generated by OpenCVE AI on June 1, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks Secure Data Forms to version 9.3.0 or later to apply the vendor‑supplied fix.
  • Restrict permission‑modification capabilities to owners only and implement an ownership check before any access‑control changes.
  • Review and audit existing permission settings to detect and correct any inadvertent privilege escalations caused by the IDOR flaw.

Generated by OpenCVE AI on June 1, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:51:03.593Z

Reserved: 2026-01-26T19:06:16.060Z

Link: CVE-2026-24755

cve-icon Vulnrichment

Updated: 2026-06-02T15:50:59.651Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T23:16:20.677

Modified: 2026-06-02T13:55:46.237

Link: CVE-2026-24755

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T00:00:14Z

Weaknesses