Kiteworks CVE-2026-24755
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any authenticated user against resources owned by other users. All Kiteworks deployments running versions prior to 9.3.0 are affected, with the flaw rooted in missing ownership verification on resource authorization checks within the Secure Data Forms module. No public exploit code has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog; however, the low attack complexity and network accessibility make it a credible insider or credential-compromise risk in multi-tenant environments where data isolation is a compliance requirement.
Technical ContextAI
CWE-639 (Authorization Through User-Controlled Key) describes a pattern where an application accepts a user-supplied identifier - such as a resource ID in a URL parameter or request body - and uses it to locate and operate on objects without independently verifying that the requesting user owns or is authorized to access that object. In Kiteworks Secure Data Forms, this manifests as insufficient authorization checks on the server side when a permission-modification action is requested. The CPE string cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:* indicates the vulnerability spans all versions of the Secure Data Forms application component within the Kiteworks private data network (PDN) platform. Kiteworks is an enterprise content collaboration and governance platform, meaning Secure Data Forms likely handles structured data collection workflows where resource ownership and access control are core security properties.
RemediationAI
The vendor-released patch is Kiteworks version 9.3.0, which addresses the authorization deficiency in Secure Data Forms. Administrators should upgrade to 9.3.0 or any later release as the primary remediation action, referencing the vendor advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-f8rf-7jq6-gch9 for guidance. If immediate upgrade is not feasible, a compensating control would be to restrict access to the Secure Data Forms feature to a minimal set of trusted, role-verified users by tightening account provisioning and reviewing existing user permissions - this reduces the pool of accounts that could abuse the IDOR. Additionally, enabling audit logging on permission-change operations within Kiteworks, if supported, would allow detection of anomalous cross-user permission modifications as a detective control. Note that neither workaround eliminates the underlying authorization flaw; they only reduce exposure until patching is possible.
More in Secure Data Forms
View allReflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated at
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execut
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attack
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuild
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprot
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modi
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to up
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated l
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other us
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today