Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Description

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

Basic Information

ID CVE-2026-23638

Source GitHub_M

Published Jun 1, 2026 at 18:11

Affected Product

Vendor kiteworks

Product Kiteworks Secure Data Forms

Version < 9.3.0

Affected Versions kiteworks Kiteworks Secure Data Forms < 9.3.0

CWE Classification

CWE-639

References

github.com /kiteworks/security-advisories/security/advisories/GHSA-8wmh-mg2h-hf46

{
    "lastseen": "",
    "description": "Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.",
    "published": "2026-06-01T18:11:35.851Z",
    "modified": "2026-06-01T18:11:35.851Z",
    "type": "cve",
    "title": "Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key",
    "source": "GitHub_M",
    "references": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-8wmh-mg2h-hf46",
    "id": "CVE-2026-23638",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "kiteworks Kiteworks Secure Data Forms < 9.3.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Kiteworks Secure Data Forms",
    "version": "< 9.3.0",
    "vendor": "kiteworks",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key_CVE-2026-23638