Skip to main content

Kiteworks Email Protection Gateway CVE-2026-29092

| EUVDEUVD-2026-15807 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-03-25 GitHub_M
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
9.2.1
EUVD ID Assigned
Mar 25, 2026 - 17:17 euvd
EUVD-2026-15807
Analysis Generated
Mar 25, 2026 - 17:17 vuln.today
CVE Published
Mar 25, 2026 - 16:59 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.

AnalysisAI

A session management vulnerability in Kiteworks Email Protection Gateway versions prior to 9.2.1 allows disabled user accounts to maintain active sessions indefinitely until natural session expiration. An attacker with a disabled account could continue accessing the platform and potentially modify data or system settings without re-authentication. While this vulnerability has not been reported as actively exploited (KEV status not listed as in-the-wild), it represents a direct bypass of account suspension controls and warrants prompt patching.

Technical ContextAI

The vulnerability resides in the session management implementation of the Kiteworks Email Protection Gateway (CPE: cpe:2.3:a:kiteworks:kiteworks_email_protection_gateway:*:*:*:*:*:*:*:*), a private data network (PDN) component responsible for securing email communications. The root cause is classified under CWE-613 (Insufficient Session Expiration), which occurs when a system fails to properly invalidate or terminate active sessions when account status changes occur. Specifically, when an administrator disables a user account, the gateway does not revoke or invalidate any existing session tokens, allowing the disabled user's active sessions to persist with full authentication context intact until the session timeout is reached through normal lifecycle expiration.

RemediationAI

Upgrade Kiteworks Email Protection Gateway to version 9.2.1 or later immediately to receive the patch that properly invalidates sessions upon account disablement. Consult the official vendor security advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc for detailed upgrade procedures and any interim mitigations. As a temporary compensating control, implement session monitoring and force manual session termination when accounts are disabled; configure user session policies to use shorter session timeout windows (e.g., 4-8 hours maximum) to reduce the window of exposure for disabled accounts with lingering sessions. Review audit logs for any active sessions from recently disabled users and manually revoke them.

Share

CVE-2026-29092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy