Kiteworks CVE-2026-24753
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modify form resources owned by other users without authorization. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the vulnerability rooted in missing server-side ownership validation on resource identifiers in the Secure Data Forms module. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; however, the low attack complexity and network accessibility make it a realistic lateral-privilege abuse path in multi-tenant Kiteworks environments.
Technical ContextAI
Kiteworks is an enterprise private data network (PDN) platform used for secure file sharing and data governance. The Secure Data Forms module - identified via CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:* - enables structured data collection workflows. The root cause is CWE-639 (Authorization Through User-Controlled Key), a class of IDOR where the application accepts a user-supplied identifier (e.g., a form or submission ID) and performs privileged operations on the referenced resource without verifying that the requesting user owns or has rights to that object. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the vulnerability is exploitable over the network by any authenticated user with no special technical preconditions, and the S:U scope indicates impact is confined to the affected user's authorization boundary without cascading to other system components.
RemediationAI
The vendor-released patch is Kiteworks version 9.3.0, which introduces proper authorization checks on resource ownership within Secure Data Forms. Organizations should upgrade to version 9.3.0 or later immediately, referencing the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-qmv7-28g4-hx9x for upgrade guidance. If immediate patching is not feasible, a compensating control is to restrict access to the Secure Data Forms feature to only those users who strictly require it, reducing the pool of potential abusers - note this does not eliminate the vulnerability but narrows the attack surface. Additionally, enabling audit logging on form submission and modification events can support detection of cross-user resource access patterns until the patch is applied. No workaround fully mitigates the underlying authorization flaw.
More in Secure Data Forms
View allReflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated at
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execut
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attack
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuild
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprot
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to up
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated l
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other us
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today