Skip to main content

Kiteworks Secure Data Forms

1 CVEs product

Monthly

CVE-2026-23638 MEDIUM PATCH This Month

Insecure Direct Object Reference in Kiteworks Secure Data Forms (all versions prior to 9.3.0) allows any authenticated low-privileged user to tamper with internal approval flow configurations belonging to other users by substituting resource identifiers in API requests. The root cause is missing server-side ownership validation on form configuration endpoints, meaning the application does not verify whether the requesting user owns the referenced resource. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog, but the low attack complexity and lack of user interaction requirement make this straightforward to exploit once authenticated.

Authentication Bypass Kiteworks Secure Data Forms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Insecure Direct Object Reference in Kiteworks Secure Data Forms (all versions prior to 9.3.0) allows any authenticated low-privileged user to tamper with internal approval flow configurations belonging to other users by substituting resource identifiers in API requests. The root cause is missing server-side ownership validation on form configuration endpoints, meaning the application does not verify whether the requesting user owns the referenced resource. No public exploit code has been identified at time of analysis, and this vulnerability has not been added to the CISA KEV catalog, but the low attack complexity and lack of user interaction requirement make this straightforward to exploit once authenticated.

Authentication Bypass Kiteworks Secure Data Forms
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy