CVE-2026-24753: Kiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
Kiteworks Secure Data Forms contained an authorization flaw that allowed authenticated users to modify data forms and resources belonging to other users. The vulnerability stems from insufficient checks verifying that a user actually owns or has permission to modify a resource before allowing the action. Any authenticated user could exploit this by directly referencing another user's resource identifiers and making changes. This is categorized as an Insecure Direct Object Reference (IDOR) vulnerability. The issue is resolved in Kiteworks version 9.3.0 and later.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-24753 is an IDOR vulnerability (CWE-639) in Kiteworks Secure Data Forms that affects versions prior to 9.3.0. The vulnerability arises from insufficient authorization controls on resource ownership verification. When an authenticated user submits a request to modify a resource, the application fails to properly validate that the requesting user has ownership or explicit permission to modify that specific resource. An attacker with valid credentials can exploit this by crafting requests with object references belonging to other users, allowing unauthorized modification of those resources. The attack surface is network-accessible and requires valid authentication credentials to exploit.
Business impact
This vulnerability poses a direct threat to data integrity within Kiteworks deployments. Authenticated users—whether internal staff with low privileges or compromised external accounts—can alter forms, templates, or other resources created by colleagues or administrators without authorization. In a Secure Data Forms context, this could lead to modification of data collection workflows, form logic, or sensitive configuration. The integrity impact is high; confidentiality and availability are not directly compromised. Organizations relying on Kiteworks for regulated data workflows may face compliance concerns if resource tampering goes undetected, as audit trails would show unauthorized modifications.
Affected systems
The vulnerability affects Kiteworks (by Accellion) Secure Data Forms in all versions prior to version 9.3.0. Organizations running older versions of Kiteworks should treat this as an immediate remediation target. The vulnerability requires an authenticated session, so it does not pose a risk to unauthenticated systems or networks without Kiteworks deployment.
Exploitability
Exploitation requires a valid authenticated session—an attacker cannot exploit this vulnerability from an unauthenticated state. However, once authenticated, exploitation is straightforward: the attacker needs only to identify or guess resource identifiers belonging to other users and submit modification requests. No complex attack chains, social engineering, or user interaction is required. The CVSS 3.1 score of 6.5 (MEDIUM) reflects the requirement for authentication coupled with the high integrity impact. The attack vector is network-based, meaning exploitation can occur remotely without physical access.
Remediation
Upgrade Kiteworks to version 9.3.0 or later. This patch version includes authorization control fixes that properly validate resource ownership before permitting modifications. Organizations should verify patch applicability in the official Kiteworks release notes and schedule upgrades during a maintenance window to avoid service disruption. Pre-upgrade testing in a non-production environment is recommended.
Patch guidance
To remediate CVE-2026-24753, upgrade your Kiteworks deployment to version 9.3.0 or any subsequent release. Consult the Accellion/Kiteworks vendor advisory and release notes to confirm patch availability and any prerequisites for your specific deployment configuration (on-premises, cloud-hosted, etc.). Plan the upgrade carefully, as it may require service restarts. After patching, validate that authorization controls are functioning correctly by testing that users cannot modify resources belonging to other users.
Detection guidance
Monitor Kiteworks audit logs for suspicious resource modification activities, particularly modifications by users to resources they did not create or should not have access to. Look for patterns of cross-user modifications or a single user modifying a large number of resources in a short time window. Network detection can focus on HTTP requests containing unusual object identifiers in modification endpoints. Once patched, baseline normal modification patterns to establish a detection baseline. If available, enable verbose logging on Secure Data Forms endpoints during the interim period before patching.
Why prioritize this
This vulnerability should be prioritized for patching due to several factors: (1) It requires only authentication, not complex exploitation; (2) The impact on data integrity is high, potentially affecting business-critical workflows; (3) Kiteworks is often used for regulated data handling, making unauthorized modifications a compliance concern; (4) The vulnerability is in a widely-used feature (Secure Data Forms); and (5) Patch availability exists, making remediation straightforward. While not in active exploitation (KEV status is false), the relative ease of exploitation post-authentication warrants near-term patching.
Risk score, explained
The CVSS 3.1 score of 6.5 (MEDIUM) reflects a balanced risk profile: Attack Vector (Network) and Attack Complexity (Low) elevate risk, as does the high Impact on Integrity. However, the requirement for Privileges (authenticated user) and absence of Confidentiality or Availability impact constrain the score. In practice, organizational risk may be higher if Kiteworks is used in high-sensitivity workflows or if the user base includes many external or lower-privileged accounts that could be compromised.
Frequently asked questions
Who can exploit this vulnerability?
Any user with valid Kiteworks authentication credentials can attempt exploitation. This includes internal staff, external partners with portal access, or attackers who have obtained or compromised a legitimate user account. The vulnerability does not require administrative or elevated privileges—a standard authenticated user is sufficient.
How do I know if my Kiteworks instance is vulnerable?
Check your Kiteworks version number in the admin console or deployment documentation. If it is version 9.2.x or earlier, your instance is vulnerable to CVE-2026-24753. Version 9.3.0 and later include the fix. If you are unsure of your version, contact your Kiteworks administrator or Accellion support.
Can this vulnerability be exploited without network access?
No, the vulnerability requires network access to the Kiteworks instance and a valid user session. An attacker cannot exploit it from outside your network or without logging in. However, any authenticated user on your network can attempt exploitation, so strong access controls and credential hygiene remain critical.
What should I do while waiting for a maintenance window to patch?
Implement compensating controls: restrict Kiteworks access to trusted internal users only if possible, increase monitoring of resource modification logs for suspicious activity, enforce multi-factor authentication if not already in place to reduce credential compromise risk, and consider temporarily disabling Secure Data Forms if not essential until patching is complete.
This analysis is provided for informational purposes to help organizations understand and respond to CVE-2026-24753. SEC.co makes no warranty regarding the completeness or accuracy of this information. Affected organizations should verify all patch version numbers, compatibility notes, and deployment procedures directly against the official Accellion/Kiteworks vendor advisory and release notes before applying patches. Security teams should conduct their own risk assessment based on their specific deployment configuration, user base, and data sensitivity. This vulnerability intelligence is not a substitute for professional security consultation or vendor guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2026-24761LOWKiteworks IDOR Vulnerability in Secure Data Forms
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-3173MEDIUMWordPress Meta Field Block Insecure Direct Object Reference (IDOR) Vulnerability