Skip to main content

Kiteworks Secure Data Forms CVE-2026-24756

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 22:57 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated low-privileged user to modify form resources owned by other users by substituting controlled resource identifiers in API requests, bypassing ownership authorization checks. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the vulnerability is remotely exploitable with no complexity barrier beyond holding a valid account. No public exploit code and no CISA KEV listing identified at time of analysis; real-world risk is concentrated in multi-tenant Kiteworks deployments where data isolation between users is a security expectation.

Technical ContextAI

CWE-639 (Authorization Through User-Controlled Key) describes the root cause: the Kiteworks Secure Data Forms component trusts a user-supplied resource identifier (e.g., a numeric ID or UUID in a request parameter) to locate and mutate a backend resource, without verifying that the authenticated session's owner matches the resource's recorded owner. This is a server-side authorization gap, not a client-side bypass. The affected component is scoped to the Secure Data Forms feature (CPE: cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:*), covering all releases prior to 9.3.0. Kiteworks is a private data network (PDN) platform; its Secure Data Forms feature is designed for controlled data collection, making unauthorized modification of submitted or stored form data a meaningful integrity breach in regulated or sensitive data workflows.

RemediationAI

Upgrade Kiteworks to version 9.3.0 or later, which contains the vendor-released patch addressing the missing ownership authorization check in Secure Data Forms. This is confirmed as the primary fix per the vendor description. The advisory is published at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-jgvj-mf78-rxx8. For organizations unable to patch immediately, a compensating control is to restrict access to the Secure Data Forms feature to the minimum set of users required, reducing the pool of accounts that could exploit the IDOR. Additionally, reviewing audit logs for anomalous cross-user resource modification patterns can help detect potential exploitation. Note that neither workaround eliminates the underlying authorization flaw - patching to 9.3.0 is the only complete remediation.

Share

CVE-2026-24756 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy