CVE-2026-29092 - Vulnerability Details

- Kiteworks Email Protection Gateway has an Insufficient Session Expiration

Description

Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.

Published: 2026-03-25

Score: 4.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Kiteworks Email Protection Gateway saves user sessions even after an account has been disabled, leading to a scenario where blocked users can continue to access the system until the session naturally times out. This weakness, classified as CWE‑613, allows the persistence of unauthorized access, compromising confidentiality and potentially allowing further unauthorized actions within the platform.

Affected Systems

Kiteworks Email Protection Gateway by Kiteworks is affected. All releases prior to version 9.2.1 lack the necessary session expiration logic. Users should upgrade to 9.2.1 or later to apply the vendor’s patch and eliminate the bug.

Risk and Exploitability

The CVSS base score of 4.9 indicates a limited impact; EPSS is below 1 %, signifying a low likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector is inferred to be an authenticated session that remains active after the user is disabled; therefore, an attacker requires an existing, valid session to benefit. This flaw enables continued access by a previously blocked user rather than remote unauthenticated exploitation. While the risk is moderate, timely remediation reduces the window during which unauthorized users can exploit the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kiteworks

Kiteworks Email Protection Gateway

affected

Version	Status	Constraints
`< 9.2.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Kiteworks

Kiteworks Email Protection Gateway

100%

Version	Status	Scheme	Platform
`[0,9.2.1)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kiteworks Email Protection Gateway to version 9.2.1 or later.
If immediate upgrade is not possible, manually terminate sessions for disabled users to prevent continued access.
Regularly review authentication logs for activity from accounts marked as blocked and enforce policy to deactivate sessions once status changes.

Generated by OpenCVE AI on March 27, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc

History

Fri, 27 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Accellion Accellion kiteworks
CPEs		cpe:2.3:a:accellion:kiteworks::::::::
Vendors & Products		Accellion Accellion kiteworks

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Kiteworks Kiteworks kiteworks Email Protection Gateway
Vendors & Products		Kiteworks Kiteworks kiteworks Email Protection Gateway

Wed, 25 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 25 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Description		Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
Title		Kiteworks Email Protection Gateway has an Insufficient Session Expiration
Weaknesses		CWE-613
References		https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}`

Subscriptions

Accellion Kiteworks

Kiteworks Kiteworks Email Protection Gateway

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-25T16:59:55.033Z

Updated: 2026-03-25T17:29:41.481Z

Reserved: 2026-03-03T21:54:06.707Z

Link: CVE-2026-29092

Vulnrichment

Updated: 2026-03-25T17:29:36.886Z

NVD

Status : Analyzed

Published: 2026-03-25T17:16:57.330

Modified: 2026-03-27T19:01:19.560

Link: CVE-2026-29092

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-29T20:28:19Z

Weaknesses

CWE-613

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object