Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
AnalysisAI
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprotected transport of credentials over the network. This vulnerability affects all versions below 9.2.1 and enables attackers to intercept sensitive authentication material in transit, potentially leading to account compromise and unauthorized access to the private data network. No active exploitation in the wild (KEV) or public proof-of-concept has been reported, though the CVSS 6.5 score and high confidentiality impact indicate meaningful risk.
Technical ContextAI
The vulnerability stems from CWE-523 (Unprotected Transport of Credentials), where sensitive authentication credentials are transmitted without adequate encryption or secure transport mechanisms. Kiteworks Secure Data Forms (identified via CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:*) is a component of the Kiteworks private data network platform used for secure form-based data collection and transmission. The root cause involves a misconfiguration of security attributes—likely missing or improperly enforced HTTPS/TLS requirements, insufficient certificate pinning, or failure to set secure transport flags (such as the Secure and HttpOnly cookie attributes)—that permit credentials to be sent over unencrypted or inadequately protected channels. This is a configuration-level issue rather than a code defect, making it dependent on deployment settings.
RemediationAI
Organizations should upgrade Kiteworks Secure Data Forms to version 9.2.1 or later immediately to receive the security patch addressing the misconfigured security attributes. The patch corrects the transport security configuration to enforce credential protection. Until patching is feasible, operators should verify that all Kiteworks instances are deployed with HTTPS/TLS enforced end-to-end, implement network-level access controls to restrict Kiteworks form endpoints to trusted networks only, and audit current credential transmission logs for evidence of unencrypted transport. Additionally, enforce HSTS (HTTP Strict-Transport-Security) headers and ensure all cookies carrying credentials are marked with Secure and HttpOnly flags. Consult the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f for environment-specific mitigation guidance.
More in Secure Data Forms
View allReflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated at
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execut
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attack
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuild
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modi
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to up
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated l
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other us
Same weakness CWE-523 – Unprotected Transport of Credentials
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15540