CVE-2026-23638: Kiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
Kiteworks, a platform designed to secure and control data sharing across organizations, contains a flaw that allows authenticated users to modify form approval workflows that belong to other users. The vulnerability stems from inadequate checks on who actually owns or has permission to modify a particular form's configuration. An attacker with valid Kiteworks credentials could exploit this to alter how forms route for approval, potentially disrupting legitimate business processes or gaining unauthorized visibility into sensitive approvals.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-23638 is an Insecure Direct Object Reference (IDOR) vulnerability affecting Kiteworks versions prior to 9.3.0. The Secure Data Forms component fails to properly validate authorization on resource ownership before allowing modification of internal approval flow configurations. An authenticated attacker can craft requests to manipulate form approval settings associated with other users by directly referencing those resources without adequate permission validation. The vulnerability requires valid authentication credentials but no additional user interaction, making it straightforward to exploit once an attacker has account access.
Business impact
This vulnerability enables insider threats and account compromise scenarios to expand their impact. An attacker with any valid Kiteworks user account could disrupt critical data approval workflows by reconfiguring forms used by other departments or teams. This could lead to data governance violations, delayed business processes, unauthorized data routing, or creation of backdoors in approval chains. Organizations relying on Kiteworks for compliance-sensitive data handling (healthcare, finance, legal) face heightened risk of audit findings or regulatory scrutiny if form tampering goes undetected.
Affected systems
Kiteworks versions prior to 9.3.0 are vulnerable. The Secure Data Forms module is the specific affected component. Only authenticated users can exploit this vulnerability, so exposure is limited to organizations where the attacker has obtained or been granted valid credentials. Verify your current Kiteworks version against vendor advisories to confirm exact affected release lines.
Exploitability
Exploitation requires valid Kiteworks authentication but no special privileges, browser manipulation, or user interaction. An attacker with standard user credentials can directly interact with the API or web interface to modify other users' form configurations. The CVSS score of 6.5 (MEDIUM) reflects the requirement for prior authentication; however, the ease of exploitation once credentials are obtained and the direct integrity impact elevate practical risk in environments with weak access controls or high user counts.
Remediation
Upgrade Kiteworks to version 9.3.0 or later. This patched version includes proper authorization checks to ensure users can only modify approval workflows on forms they own or have explicit permission to manage. Coordinate the upgrade during a maintenance window and test form approval processes post-deployment to confirm workflows function as expected.
Patch guidance
Apply Kiteworks version 9.3.0 or any later release. Verify the patch version in the Kiteworks admin console under system information. If you are on a maintenance or extended support contract, check the vendor advisory for any interim workarounds or staged rollout recommendations. Test in a staging environment first, particularly if you have custom approval workflows, to avoid disruption to production data handling processes.
Detection guidance
Monitor Kiteworks audit logs for unusual modifications to Secure Data Forms configurations, particularly changes to approval workflows by users who do not typically manage those forms. Look for API calls or web requests that modify form settings for users other than the requester. Implement alerting on bulk or repeated form configuration changes within short time windows. Organizations using SIEM solutions should correlate Kiteworks authentication events with subsequent form modification events to detect lateral abuse of compromised accounts.
Why prioritize this
Although marked MEDIUM severity, this vulnerability warrants prioritized patching in environments where Kiteworks enforces critical data governance or compliance workflows. The ease of exploitation for any authenticated user, combined with the integrity impact on approval processes, makes this a candidate for near-term remediation. Environments with high user counts, third-party access, or stringent audit requirements should treat this as HIGH priority.
Risk score, explained
The CVSS 3.1 score of 6.5 reflects a network-accessible vulnerability requiring low privileges (authenticated user) with no user interaction needed, but limited to integrity impact (modifying form configurations) with no confidentiality or availability impact on the Kiteworks instance itself. The score does not fully capture the business risk posed by tampering with approval workflows; organizations should apply their own risk assessment based on the criticality of their data approval processes and the prevalence of internal threats or account compromise in their threat model.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires valid Kiteworks user credentials. An attacker must first obtain or be granted a legitimate account. However, once authenticated, no additional privileges are needed, making the barrier to exploitation relatively low if account compromises or insider threats are present.
Does this vulnerability allow access to sensitive data in the forms themselves?
No. The vulnerability is limited to modifying how forms route through approval workflows. An attacker cannot directly read or exfiltrate form data. However, by tampering with approval chains, they could potentially redirect data to unauthorized recipients or bypass intended approval gatekeepers.
What is the recommended timeline for patching?
Organizations should prioritize this patch within 30 days, especially if they manage sensitive or compliance-critical data through Kiteworks forms. Environments with high-risk data classifications or known insider threats should expedite patching to 7–14 days where operationally feasible.
Are there any known public exploits for this vulnerability?
This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, organizations should not rely on this as assurance; the straightforward nature of IDOR attacks means weaponized exploitation could emerge quickly once the patch is widely deployed.
This analysis is provided for informational purposes and represents the state of CVE-2026-23638 as of the publication date. Organizations should verify patch availability, compatibility, and testing outcomes independently with Kiteworks and their own systems. SEC.co does not guarantee the completeness or accuracy of vendor advisories and encourages security teams to consult official Kiteworks documentation and coordinate patching with their change management and business continuity processes. No exploit code or active attack telemetry is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2026-24761LOWKiteworks IDOR Vulnerability in Secure Data Forms
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-3173MEDIUMWordPress Meta Field Block Insecure Direct Object Reference (IDOR) Vulnerability