CVE-2026-28271
Kiteworks Core is vulnerable to Server-Side Request Forgery (SSRF)
In short
Kiteworks, a file-sharing platform, had a flaw that allowed administrators with bad intentions to bypass security protections and access internal services they shouldn't be able to reach by manipulating DNS settings.
Technical detail
A Server-Side Request Forgery (SSRF) vulnerability in Kiteworks prior to v9.2.0 allows authenticated administrative users to circumvent SSRF protections via DNS rebinding attacks, enabling unauthorized access to internal network services. The vulnerability requires administrative privileges and relies on manipulation of DNS resolution to redirect requests from the application server to restricted internal endpoints.
Summary generated and translated by AI from the official description.
Kiteworks is a private data network (PDN). Prior to version 9.2.0, a vulnerability in Kiteworks configuration functionality allows bypassing of SSRF protections through DNS rebinding attacks. Malicious administrators could exploit this to access internal services that should be restricted. Version 9.2.0 contains a patch for the issue.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Affected products
kiteworks · security-advisoriesWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →