CVE-2026-23638

MEDIUM

Kiteworks < 9.3.0 - Authenticated Insecure Direct Object Reference in Secure Data Forms

Title source: llm

Description

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

References (1)

Core 1

Core References

Vendor Advisory

https://github.com/kiteworks/security-advisories/security/advisories/GHSA-8wmh-mg2h-hf46

Scores

CVSS v3 6.5

EPSS 0.0018

EPSS Percentile 8.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-639

Status published

Products (1)

accellion/kiteworks < 9.3.0

Published Jun 01, 2026

Tracked Since Jun 02, 2026