Description
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Published: 2026-06-01
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Kiteworks Secure Data Forms contains an Insecure Direct Object Reference flaw that permits an authenticated user to read metadata of resources owned by other users because ownership checks are missing. This does not grant execution or modification rights but exposes sensitive information about other users, potentially revealing project details, user identities, or other confidential data. The weakness is classified as CWE‑639: Authorization Bypass Through User‑Controlled Key.

Affected Systems

All installations of Kiteworks Secure Data Forms running versions earlier than 9.3.0 are affected, regardless of additional configuration. The issue is isolated to the Secure Data Forms module and does not extend to other Kiteworks components.

Risk and Exploitability

The CVSS score of 3.7 indicates a low‑to‑moderate severity; the EPSS score is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to have valid user credentials within the system, so access is limited to authenticated users. Once authenticated, the attacker can inspect confidential metadata, which may lead to privacy violations or aid further attacks, but does not provide direct control over the system.

Generated by OpenCVE AI on June 1, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Kiteworks Secure Data Forms to version 9.3.0 or later to apply the vendor‑supplied fix
  • Ensure that all user accounts have the principle of least privilege and revoke any unnecessary administrative rights
  • Review and audit authorization checks for direct object reference patterns to confirm that proper ownership validation is enforced

Generated by OpenCVE AI on June 1, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared Kiteworks
Kiteworks secure Data Forms
Vendors & Products Kiteworks
Kiteworks secure Data Forms

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
Title Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Kiteworks Secure Data Forms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T13:02:25.811Z

Reserved: 2026-01-26T21:06:47.867Z

Link: CVE-2026-24761

cve-icon Vulnrichment

Updated: 2026-06-02T13:02:21.741Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T23:16:20.960

Modified: 2026-06-02T13:55:46.237

Link: CVE-2026-24761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T00:00:13Z

Weaknesses