Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
AnalysisAI
A session management vulnerability in Kiteworks Email Protection Gateway versions prior to 9.2.1 allows disabled user accounts to maintain active sessions indefinitely until natural session expiration. An attacker with a disabled account could continue accessing the platform and potentially modify data or system settings without re-authentication. While this vulnerability has not been reported as actively exploited (KEV status not listed as in-the-wild), it represents a direct bypass of account suspension controls and warrants prompt patching.
Technical ContextAI
The vulnerability resides in the session management implementation of the Kiteworks Email Protection Gateway (CPE: cpe:2.3:a:kiteworks:kiteworks_email_protection_gateway:*:*:*:*:*:*:*:*), a private data network (PDN) component responsible for securing email communications. The root cause is classified under CWE-613 (Insufficient Session Expiration), which occurs when a system fails to properly invalidate or terminate active sessions when account status changes occur. Specifically, when an administrator disables a user account, the gateway does not revoke or invalidate any existing session tokens, allowing the disabled user's active sessions to persist with full authentication context intact until the session timeout is reached through normal lifecycle expiration.
RemediationAI
Upgrade Kiteworks Email Protection Gateway to version 9.2.1 or later immediately to receive the patch that properly invalidates sessions upon account disablement. Consult the official vendor security advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc for detailed upgrade procedures and any interim mitigations. As a temporary compensating control, implement session monitoring and force manual session termination when accounts are disabled; configure user session policies to use shorter session timeout windows (e.g., 4-8 hours maximum) to reduce the window of exposure for disabled accounts with lingering sessions. Review audit logs for any active sessions from recently disabled users and manually revoke them.
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15807