Skip to main content

Kiteworks Secure Data Forms CVE-2026-24761

LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 GitHub_M
3.7
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 01, 2026 - 22:57 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

Insecure Direct Object Reference (IDOR) in Kiteworks Secure Data Forms prior to version 9.3.0 enables access to other users' resource metadata through insufficient ownership authorization checks on resource identifiers. The vulnerability is classified CWE-639 and carries a CVSS score of 3.7 (Low), reflecting limited confidentiality impact (metadata only, no content) and high attack complexity. No public exploit identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

Kiteworks is a private data network (PDN) platform; its Secure Data Forms component, identified by CPE cpe:2.3:a:kiteworks:secure_data_forms:*:*:*:*:*:*:*:*, allows users to collect and manage sensitive structured data. The root cause is CWE-639 (Authorization Through User-Controlled Key): the application relies on user-supplied resource identifiers (object references such as IDs) to locate resources but does not enforce server-side verification that the requesting user owns or is authorized to access the referenced object. This is a classic IDOR pattern where predictable or enumerable identifiers become the de facto access control mechanism, allowing lateral traversal across user-owned resources within the same application.

RemediationAI

Vendor-released patch: Kiteworks version 9.3.0. Upgrade to Kiteworks 9.3.0 or later as directed by the vendor description; this is the only confirmed remediation. The advisory is available at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6489-ffwq-96hh. If immediate upgrade is not possible, consider restricting access to the Secure Data Forms feature to the minimum required user set and enabling access logging on resource retrieval endpoints to detect anomalous cross-user enumeration patterns. Note that access logging is a detective, not preventive, control and does not eliminate exposure.

Share

CVE-2026-24761 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy