Skip to main content

Core CVE-2026-23514

| EUVDEUVD-2026-15419 HIGH
Improper Ownership Management (CWE-282)
2026-03-25 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:16 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
9.2.2
EUVD ID Assigned
Mar 25, 2026 - 14:30 euvd
EUVD-2026-15419
Analysis Generated
Mar 25, 2026 - 14:30 vuln.today
CVE Published
Mar 25, 2026 - 14:19 nvd
HIGH 8.8

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch.

AnalysisAI

An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.

Technical ContextAI

Kiteworks Core (cpe:2.3:a:kiteworks:core) is a private content network platform designed for secure file sharing and collaboration. This vulnerability is classified as CWE-282 (Improper Privilege Management), indicating a failure in the access control mechanism that enforces authorization boundaries between users and content. The flaw allows authenticated users to bypass intended access restrictions, potentially exposing sensitive documents, files, or data stored within the Kiteworks environment that should be protected by role-based or attribute-based access controls.

RemediationAI

Upgrade Kiteworks Core to version 9.2.2 or later immediately to remediate this vulnerability, as specified in the vendor security advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5. Organizations that cannot immediately upgrade should implement enhanced monitoring of user access patterns to detect potential unauthorized content access, review and restrict user privileges to minimum necessary levels, and consider implementing additional network segmentation to limit exposure until patching is complete. Audit logs should be reviewed for any suspicious access patterns that may indicate exploitation of this vulnerability in affected versions 9.2.0 and 9.2.1.

More in Core

View all
CVE-2020-15505 CRITICAL POC
9.8 Jul 07

A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2022-29777 CRITICAL POC
9.8 Jun 02

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via t

CVE-2022-29776 CRITICAL POC
9.8 Jun 02

Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via

CVE-2021-38145 CRITICAL POC
9.8 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2023-5192 MEDIUM POC
6.5 Sep 27

Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Rated medium se

CVE-2021-38143 MEDIUM POC
6.1 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

CVE-2020-15506 CRITICAL
9.8 Jul 07

An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,

CVE-2021-38144 MEDIUM POC
5.4 Aug 31

An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 5.4), this vulnerability is remotely e

CVE-2024-14036 HIGH
8.7 Jun 02

Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-

CVE-2026-55844 HIGH
7.5 Jun 29

Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the con

CVE-2020-15235 HIGH
7.5 Oct 05

In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would norm

CVE-2020-15507 HIGH
7.5 Jul 07

An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2,

Share

CVE-2026-23514 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy