Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch.
AnalysisAI
An access control vulnerability exists in Kiteworks Core versions 9.2.0 and 9.2.1 that allows authenticated users to access unauthorized content within the private data network. With a CVSS score of 8.8 (High), an attacker with low-level authenticated access can potentially access, modify, or delete sensitive data they should not have permissions to view. No public proof-of-concept or active exploitation (KEV listing) has been reported at this time.
Technical ContextAI
Kiteworks Core (cpe:2.3:a:kiteworks:core) is a private content network platform designed for secure file sharing and collaboration. This vulnerability is classified as CWE-282 (Improper Privilege Management), indicating a failure in the access control mechanism that enforces authorization boundaries between users and content. The flaw allows authenticated users to bypass intended access restrictions, potentially exposing sensitive documents, files, or data stored within the Kiteworks environment that should be protected by role-based or attribute-based access controls.
RemediationAI
Upgrade Kiteworks Core to version 9.2.2 or later immediately to remediate this vulnerability, as specified in the vendor security advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5. Organizations that cannot immediately upgrade should implement enhanced monitoring of user access patterns to detect potential unauthorized content access, review and restrict user privileges to minimum necessary levels, and consider implementing additional network segmentation to limit exposure until patching is complete. Audit logs should be reviewed for any suspicious access patterns that may indicate exploitation of this vulnerability in affected versions 9.2.0 and 9.2.1.
A remote code execution vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a heap overflow via t
Onlyoffice Document Server v6.0.0 and below and Core 6.1.0.26 and below were discovered to contain a stack overflow via
An issue was discovered in Form Tools through 3.0.20. Rated critical severity (CVSS 9.8), this vulnerability is remotely
Excessive Data Query Operations in a Large Data Table in GitHub repository pimcore/demo prior to 10.3.0. Rated medium se
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 6.1), this vulnerability is remotely e
An authentication bypass vulnerability in MobileIron Core & Connector versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1,
An issue was discovered in Form Tools through 3.0.20. Rated medium severity (CVSS 5.4), this vulnerability is remotely e
Dräger Core 1.0.5 and Dräger M540 Converter Service 1.0.9 contain a denial of service vulnerability that allows network-
Sensitive token disclosure affects the Home Assistant iOS companion app prior to 2025.5.0, where the app ignores the con
In RACTF before commit f3dc89b, unauthenticated users are able to get the value of sensitive config keys that would norm
An arbitrary file reading vulnerability in MobileIron Core versions 10.3.0.3 and earlier, 10.4.0.0, 10.4.0.1, 10.4.0.2,
Same weakness CWE-282 – Improper Ownership Management
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15419