Skip to main content

Kiteworks Secure Forms EUVDEUVD-2026-33742

| CVE-2026-23638 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-01 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 01, 2026 - 20:02 EUVD
Analysis Generated
Jun 01, 2026 - 19:36 vuln.today

DescriptionGitHub Advisory

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

AnalysisAI

Insecure Direct Object Reference in Kiteworks Secure Data Forms (all versions prior to 9.3.0) allows any authenticated low-privileged user to tamper with internal approval flow configurations belonging to other users by substituting resource identifiers in API requests. The root cause is missing server-side ownership validation on form configuration endpoints, meaning the application does not verify whether the requesting user owns the referenced resource. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog, but the low attack complexity and lack of user interaction requirement make this straightforward to exploit once authenticated.

Technical ContextAI

Kiteworks is a private data network (PDN) platform designed for secure external file sharing and collaboration. The vulnerable component, Kiteworks Secure Data Forms, implements approval workflow configurations tied to individual user-owned form objects. CWE-639 (Authorization Bypass Through User-Controlled Key) describes the root cause: the server accepts a user-supplied object identifier - such as a form ID - and processes the request without verifying that the authenticated requester is the legitimate owner of that resource. The CPE string cpe:2.3:a:kiteworks:kiteworks_secure_data_forms:*:*:*:*:*:*:*:* (wildcard on version) confirms all releases of the Secure Data Forms component are affected prior to the 9.3.0 patch. The CVSS vector AV:N/AC:L/PR:L/UI:N reflects that the flaw is reachable over the network with no special conditions beyond holding any standard account.

RemediationAI

Vendor-released patch: Kiteworks version 9.3.0. Upgrade to Kiteworks 9.3.0 or later, as confirmed by both the CVE description and the vendor GitHub Security Advisory GHSA-8wmh-mg2h-hf46 (https://github.com/kiteworks/security-advisories/security/advisories/GHSA-8wmh-mg2h-hf46). If immediate upgrade is not feasible, consider restricting access to the Secure Data Forms feature to only explicitly authorized user roles, which reduces the pool of accounts capable of reaching the vulnerable endpoints - note this may limit legitimate workflow usage. Additionally, monitoring API access logs for unusual cross-user form object ID references can serve as a detection compensating control while patching is scheduled. No workaround fully eliminates the vulnerability without patching, as the flaw is in server-side authorization logic.

Share

EUVD-2026-33742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy