Skip to main content

Kiteworks CVE-2026-24753

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 22:58 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modify form resources owned by other users without authorization. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the vulnerability rooted in missing server-side ownership validation on resource identifiers in the Secure Data Forms module. No public exploit code has been identified at time of analysis, and the issue is not listed in CISA KEV; however, the low attack complexity and network accessibility make it a realistic lateral-privilege abuse path in multi-tenant Kiteworks environments.

Technical ContextAI

Kiteworks is an enterprise private data network (PDN) platform used for secure file sharing and data governance. The Secure Data Forms module - identified via CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:* - enables structured data collection workflows. The root cause is CWE-639 (Authorization Through User-Controlled Key), a class of IDOR where the application accepts a user-supplied identifier (e.g., a form or submission ID) and performs privileged operations on the referenced resource without verifying that the requesting user owns or has rights to that object. The CVSS vector AV:N/AC:L/PR:L/UI:N confirms the vulnerability is exploitable over the network by any authenticated user with no special technical preconditions, and the S:U scope indicates impact is confined to the affected user's authorization boundary without cascading to other system components.

RemediationAI

The vendor-released patch is Kiteworks version 9.3.0, which introduces proper authorization checks on resource ownership within Secure Data Forms. Organizations should upgrade to version 9.3.0 or later immediately, referencing the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-qmv7-28g4-hx9x for upgrade guidance. If immediate patching is not feasible, a compensating control is to restrict access to the Secure Data Forms feature to only those users who strictly require it, reducing the pool of potential abusers - note this does not eliminate the vulnerability but narrows the attack surface. Additionally, enabling audit logging on form submission and modification events can support detection of cross-user resource access patterns until the patch is applied. No workaround fully mitigates the underlying authorization flaw.

Share

CVE-2026-24753 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy