Skip to main content

Secure Data Forms CVE-2026-23635

| EUVDEUVD-2026-15540 MEDIUM
Unprotected Transport of Credentials (CWE-523)
2026-03-25 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
9.2.1
EUVD ID Assigned
Mar 25, 2026 - 17:17 euvd
EUVD-2026-15540
Analysis Generated
Mar 25, 2026 - 17:17 vuln.today
CVE Published
Mar 25, 2026 - 16:57 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.

AnalysisAI

Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprotected transport of credentials over the network. This vulnerability affects all versions below 9.2.1 and enables attackers to intercept sensitive authentication material in transit, potentially leading to account compromise and unauthorized access to the private data network. No active exploitation in the wild (KEV) or public proof-of-concept has been reported, though the CVSS 6.5 score and high confidentiality impact indicate meaningful risk.

Technical ContextAI

The vulnerability stems from CWE-523 (Unprotected Transport of Credentials), where sensitive authentication credentials are transmitted without adequate encryption or secure transport mechanisms. Kiteworks Secure Data Forms (identified via CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:*) is a component of the Kiteworks private data network platform used for secure form-based data collection and transmission. The root cause involves a misconfiguration of security attributes—likely missing or improperly enforced HTTPS/TLS requirements, insufficient certificate pinning, or failure to set secure transport flags (such as the Secure and HttpOnly cookie attributes)—that permit credentials to be sent over unencrypted or inadequately protected channels. This is a configuration-level issue rather than a code defect, making it dependent on deployment settings.

RemediationAI

Organizations should upgrade Kiteworks Secure Data Forms to version 9.2.1 or later immediately to receive the security patch addressing the misconfigured security attributes. The patch corrects the transport security configuration to enforce credential protection. Until patching is feasible, operators should verify that all Kiteworks instances are deployed with HTTPS/TLS enforced end-to-end, implement network-level access controls to restrict Kiteworks form endpoints to trusted networks only, and audit current credential transmission logs for evidence of unencrypted transport. Additionally, enforce HSTS (HTTP Strict-Transport-Security) headers and ensure all cookies carrying credentials are marked with Secure and HttpOnly flags. Consult the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f for environment-specific mitigation guidance.

Share

CVE-2026-23635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy