Kiteworks Secure Data Forms CVE-2026-24761
LOWSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
AnalysisAI
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other users' resource metadata through insufficient ownership authorization checks on resource identifiers. The vulnerability is classified CWE-639 and carries a CVSS score of 3.7 (Low), reflecting limited confidentiality impact (metadata only, no content) and high attack complexity. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
Kiteworks is a private data network (PDN) platform; its Secure Data Forms component, identified by CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:*, allows users to collect and manage sensitive structured data. The root cause is CWE-639 (Authorization Through User-Controlled Key): the application relies on user-supplied resource identifiers (object references such as IDs) to locate resources but does not enforce server-side verification that the requesting user owns or is authorized to access the referenced object. This is a classic IDOR pattern where predictable or enumerable identifiers become the de facto access control mechanism, allowing lateral traversal across user-owned resources within the same application.
RemediationAI
Vendor-released patch: Kiteworks version 9.3.0. Upgrade to Kiteworks 9.3.0 or later as directed by the vendor description; this is the only confirmed remediation. The advisory is available at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6489-ffwq-96hh. If immediate upgrade is not possible, consider restricting access to the Secure Data Forms feature to the minimum required user set and enabling access logging on resource retrieval endpoints to detect anomalous cross-user enumeration patterns. Note that access logging is a detective, not preventive, control and does not eliminate exposure.
More in Secure Data Forms
View allReflected cross-site scripting in Kiteworks Secure Data Forms (versions prior to 9.3.0) allows remote unauthenticated at
Reflected cross-site scripting in Kiteworks Secure Data Forms prior to version 9.3.0 allows external attackers to execut
A stored cross-site scripting (XSS) vulnerability exists in Kiteworks Secure Data Forms that allows authenticated attack
SQL injection in Kiteworks Secure Data Forms before version 9.3.0 allows an authenticated attacker holding the FormBuild
Kiteworks Secure Data Forms prior to version 9.2.1 contains a misconfiguration of security attributes that allows unprot
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms allows authenticated low-privileged users to modi
Kiteworks Secure Data Forms contains an unrestricted file upload vulnerability (CWE-434) that allows form managers to up
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms exposes a permission-modification vector for any
Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 allows any authenticated l
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today