CVE-2026-24755
MEDIUMKiteworks < 9.3.0 - Authenticated Authorization Bypass via Secure Data Forms
Title source: llmDescription
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/kiteworks/security-advisories/security/advisories/GHSA-f8rf-7jq6-gch9
Scores
CVSS v3
5.4
EPSS
0.0014
EPSS Percentile
3.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (2)
accellion/kiteworks
< 9.3.0
kiteworks/Secure Data Forms
< 9.3.0
Published
Jun 01, 2026
Tracked Since
Jun 02, 2026