CVE-2026-23638

Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key

CVSS 6.5 MEDIUMEPSS 0.2%CWE-639

In short

Kiteworks Secure Data Forms has a flaw where logged-in users can modify form settings and approval workflows of other users' forms because the system doesn't properly verify who owns each form. This allows attackers to bypass intended access controls and interfere with other people's business processes.

Technical detail

An IDOR vulnerability exists in Kiteworks Secure Data Forms (pre-9.3.0) where authenticated users can tamper with approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. The attack vector is network-based and requires prior authentication; impact includes unauthorized modification of form workflows and approval processes.

Summary generated and translated by AI from the official description.

Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Affected products

kiteworks · Secure Data Forms

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/kiteworks/security-advisories/security/advisories/GHSA-8wmh-mg2h-hf46