Skip to main content

Kiteworks CVE-2026-24755

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 22:57 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any authenticated user against resources owned by other users. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the flaw rooted in missing ownership verification on resource authorization checks within the Secure Data Forms module. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the low attack complexity and network accessibility make it a credible insider or credential-compromise risk in multi-tenant environments where data isolation is a compliance requirement.

Technical ContextAI

CWE-639 (Authorization Through User-Controlled Key) describes a pattern where an application accepts a user-supplied identifier - such as a resource ID in a URL parameter or request body - and uses it to locate and operate on objects without independently verifying that the requesting user owns or is authorized to access that object. In Kiteworks Secure Data Forms, this manifests as insufficient authorization checks on the server side when a permission-modification action is requested. The CPE string cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:* indicates the vulnerability spans all versions of the Secure Data Forms application component within the Kiteworks private data network (PDN) platform. Kiteworks is an enterprise content collaboration and governance platform, meaning Secure Data Forms likely handles structured data collection workflows where resource ownership and access control are core security properties.

RemediationAI

The vendor-released patch is Kiteworks version 9.3.0, which addresses the authorization deficiency in Secure Data Forms. Administrators should upgrade to 9.3.0 or any later release as the primary remediation action, referencing the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-f8rf-7jq6-gch9 for guidance. If immediate upgrade is not feasible, a compensating control would be to restrict access to the Secure Data Forms feature to a minimal set of trusted, role-verified users by tightening account provisioning and reviewing existing user permissions - this reduces the pool of accounts that could abuse the IDOR. Additionally, enabling audit logging on permission-change operations within Kiteworks, if supported, would allow detection of anomalous cross-user permission modifications as a detective control. Note that neither workaround eliminates the underlying authorization flaw; they only reduce exposure until patching is possible.

Share

CVE-2026-24755 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy