CVE-2026-28269 - Vulnerability Details

- Kiteworks Core has an OS Command Injection

Description

Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file locations. This could be exploited to overwrite critical system files and gain elevated access. Version 9.2.0 contains a patch.

Published: 2026-02-26

Score: 5.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Kiteworks’ command execution module permits authenticated users to redirect command output to arbitrary file locations, effectively enabling overwriting of critical system files. This regression constitutes an OS command injection flaw classified as CWE‑78, allowing an attacker to alter system integrity and ultimately acquire elevated rights on the host. The vulnerability delivers a path from authentication to privilege escalation by exploiting the open file redirection capability within the command workflow.

Affected Systems

Vendors affected are Kiteworks, the private data network solution. All instances running versions prior to 9.2.0 are vulnerable; the fix is delivered in version 9.2.0 and later. No other manufacturers or product variations are listed as impacted.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity, while the EPSS value of less than 1% suggests a low probability of widespread exploitation at present. The vulnerability is not included in the CISA KEV catalog, further reducing its exploitation likelihood. Since the flaw requires valid user credentials to access the command execution functionality, attackers must first compromise or legitimately authenticate to the system. Once authenticated, they can manipulate output redirection to overwrite system files, providing a clear route to privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kiteworks

security-advisories

affected

Version	Status	Constraints
`< 9.2.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kiteworks

Security-advisories

100%

Version	Status	Scheme	Platform
`[0,9.2.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch by upgrading to Kiteworks version 9.2.0 or later.
If a patch cannot be applied immediately, disable the command execution feature or restrict it so that only privileged accounts can invoke it.
Ensure that users are granted only the minimum permissions required for their roles, preventing unprivileged accounts from executing commands that could write system files.

Generated by OpenCVE AI on April 18, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6j64-6fpp-9453

History

Tue, 03 Mar 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Accellion Accellion kiteworks
CPEs		cpe:2.3:a:accellion:kiteworks::::::::
Vendors & Products		Accellion Accellion kiteworks

Fri, 27 Feb 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kiteworks Kiteworks security-advisories
Vendors & Products		Kiteworks Kiteworks security-advisories

Thu, 26 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
Description		Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file locations. This could be exploited to overwrite critical system files and gain elevated access. Version 9.2.0 contains a patch.
Title		Kiteworks Core has an OS Command Injection
Weaknesses		CWE-78
References		https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6j64-6fpp-9453
Metrics		cvssV3_1 `{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Accellion Kiteworks

Kiteworks Security-advisories

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-26T22:52:26.688Z

Updated: 2026-02-27T17:53:05.993Z

Reserved: 2026-02-26T01:52:58.733Z

Link: CVE-2026-28269

Vulnrichment

Updated: 2026-02-27T17:53:00.112Z

NVD

Status : Analyzed

Published: 2026-02-26T23:16:36.910

Modified: 2026-03-03T19:53:18.500

Link: CVE-2026-28269

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object