Description
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Published: 2026-06-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kiteworks Secure Data Forms contains an insecure direct object reference that lets an authenticated user modify or delete data owned by other users. The vulnerability is a direct result of missing ownership checks on objects such as form definitions, submission data, or associated file uploads. If exploited, a legitimate user could gain full control over another user’s confidential records, leading to confidentiality and integrity violations. The weakness is classified as CWE-639.

Affected Systems

The issue affects all installations of kiteworks:Secure Data Forms before version 9.3.0. Users with normal authentication rights are able to engage the IDOR. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS base score of 4.3 places the vulnerability in the low severity range. The EPSS score is not available, and it is not listed in CISA’s KEV catalog, indicating a low likelihood of widespread exploitation at present. The likely attack vector requires a valid user account – an authenticated attacker can supply arbitrary resource identifiers to target another user's data. Until mitigation, any organization running an affected version must monitor user activity for unauthorized modifications and promptly upgrade.

Generated by OpenCVE AI on June 1, 2026 at 23:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Kiteworks Secure Data Forms to version 9.3.0 or later to receive the vendor patch
  • Ensure that the new version is correctly deployed across all environments before removing vulnerable access paths
  • Perform a quick audit or test to confirm that cross‑user access to forms and submissions is no longer possible

Generated by OpenCVE AI on June 1, 2026 at 23:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Accellion
Accellion kiteworks
CPEs cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*
Vendors & Products Accellion
Accellion kiteworks

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Accellion Kiteworks
Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T12:30:24.647Z

Reserved: 2026-01-26T19:06:16.060Z

Link: CVE-2026-24756

cve-icon Vulnrichment

Updated: 2026-06-02T12:30:18.619Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-01T23:16:20.827

Modified: 2026-06-03T15:26:29.950

Link: CVE-2026-24756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T00:30:26Z

Weaknesses