CVE-2026-29092
Kiteworks Email Protection Gateway has an Insufficient Session Expiration
In short
Kiteworks Email Protection Gateway doesn't properly log out disabled users, allowing them to keep accessing the system until their session naturally expires. This means a blocked account could still be used if someone has an active session.
Technical detail
CWE-613 insufficient session expiration in Kiteworks Email Protection Gateway allows blocked/disabled user accounts to maintain valid sessions and continue accessing protected resources. Requires pre-existing active session at time of account disablement; impact is unauthorized continued access until session timeout occurs.
Summary generated and translated by AI from the official description.
Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N
Affected products
kiteworks · Kiteworks Email Protection GatewayWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →