CVE-2026-24755 Kiteworks IDOR Authorization Flaw in Secure Data Forms
Kiteworks, a platform for secure data sharing and management, contains a flaw in its Secure Data Forms feature that allows logged-in users to change permissions on files and folders belonging to other users. The vulnerability stems from the system not properly verifying whether a user actually owns or has authority over a resource before allowing permission changes. An attacker with valid credentials could exploit this to gain access to, or revoke access from, other users' sensitive data without authorization.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-24755 is an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms prior to version 9.3.0. The root cause is insufficient authorization checks on resource ownership when processing permission modification requests. An authenticated attacker can directly reference and modify access controls on resources they do not own by manipulating request parameters or object identifiers, bypassing the intended access control logic. The CVSS 3.1 score of 5.4 (Medium) reflects network accessibility, low attack complexity, and a low attack surface (authenticated access required), with impacts to confidentiality and integrity.
Business impact
This vulnerability creates insider threat and data governance risks. A malicious insider or compromised account can silently alter permissions on shared data, potentially exposing sensitive customer, financial, or proprietary information to unintended parties, or denying legitimate users access to critical assets. For organizations using Kiteworks as a trust boundary for regulated data (healthcare, finance, legal), unauthorized permission changes violate audit trails and compliance controls, creating incident response and liability exposure. The indirect but plausible attack surface—social engineering to obtain legitimate credentials—increases real-world risk.
Affected systems
Kiteworks versions prior to 9.3.0 are affected. The Secure Data Forms feature is the specific attack vector. Organizations running any 9.x version before 9.3.0, or any earlier major version, should assume they are vulnerable. Check your Kiteworks deployment version in the admin console or system information logs.
Exploitability
Exploitation requires valid Kiteworks user credentials; unauthenticated access is not possible. Once authenticated, an attacker can modify permissions through standard API calls or web requests without requiring special privileges, complex tooling, or user interaction from victims. The low attack complexity and lack of user interaction make this a straightforward privilege escalation once credentials are obtained. The vulnerability is not known to be actively exploited in the wild (KEV status: not listed), but the simplicity of the attack and prevalence of credential compromise mean organizations should treat this as a practical risk.
Remediation
Upgrade Kiteworks to version 9.3.0 or later. Verify the upgrade path with Accellion's release notes to ensure no migration steps or downtime considerations are missed. In parallel, audit permission changes made on Secure Data Forms resources in the 30–90 days prior to patching to detect unauthorized modifications; Kiteworks audit logs should record all permission changes with user and timestamp. Review and re-validate permissions on highly sensitive shared data after patching.
Patch guidance
Accellion has released version 9.3.0 with authorization checks applied to resource ownership verification. Download and deploy 9.3.0 or any later stable version from the Kiteworks portal. Follow the vendor's upgrade documentation to schedule patching (many organizations will require maintenance windows). Test the upgrade in a non-production environment first to confirm no breaking changes to custom integrations or workflows. Coordinate timing with business stakeholders, as Secure Data Forms may be in active use during normal operations.
Detection guidance
Monitor Kiteworks audit logs for permission modification events, especially those modifying resources owned by different users than the requestor. Alert on any permission changes that grant or revoke access when the user requesting the change does not match the resource owner. Review API access logs if Kiteworks exposes detailed request logs. Watch for unusual patterns: a single user account rapidly changing permissions on many resources, or permission changes from off-hours or unusual IP addresses. Implement detective controls that flag cross-owner resource modifications for security review.
Why prioritize this
This is a medium-priority vulnerability. The CVSS score of 5.4 reflects moderate impact, but organizational context matters: if your Kiteworks deployment handles highly regulated or sensitive data (PII, trade secrets, healthcare records), treat it as higher priority. The fact that it requires authentication limits widespread exploitation, but insider threat scenarios and credential compromise increase likelihood. The simplicity of the attack and the sensitive nature of data managed by Kiteworks suggest scheduling the patch within 30 days rather than deferring it to routine maintenance cycles.
Risk score, explained
The CVSS 3.1 score of 5.4 (Medium) reflects: (1) Network-accessible attack surface (AV:N), (2) Low attack complexity—no special conditions required once authenticated (AC:L), (3) Requirement for prior authentication (PR:L), (4) No user interaction needed from the victim (UI:N), (5) Scope unchanged—the vulnerability is confined to the Kiteworks application (S:U), (6) Low confidentiality impact—an attacker can view data they should not access (C:L), (7) Low integrity impact—permissions can be altered but not the data itself (I:L), and (8) No availability impact (A:N). The score appropriately reflects that this is a serious but not critical authorization flaw.
Frequently asked questions
Do I need admin privileges to exploit this vulnerability?
No. The vulnerability requires only a standard, authenticated Kiteworks user account. It does not require administrative rights. Any employee with a valid login can attempt exploitation.
Can this vulnerability be exploited without a Kiteworks account?
No. Unauthenticated users cannot access Kiteworks features, including Secure Data Forms. An attacker must possess or obtain valid credentials (through password compromise, phishing, or insider access) to launch an attack.
Will upgrading to 9.3.0 cause downtime or break existing functionality?
Verify against Accellion's official release notes and upgrade guide for your specific version path. In general, patch releases are designed to be backward-compatible and low-impact, but organizations should test in a staging environment first and schedule patching during a maintenance window to minimize operational disruption.
If we've been running Kiteworks unpatched, should we assume our data has been compromised?
Not necessarily, but you should audit permission change logs immediately. Review Kiteworks audit logs for the 30–90 days prior to patching to identify any unauthorized permission modifications. If no suspicious activity is found, document this; if suspicious activity is found, initiate an incident investigation to determine scope and impact.
This analysis is provided for informational purposes to help security teams assess and prioritize risk. It is not a substitute for vendor advisories or your organization's security review process. Test all patches in a non-production environment before production deployment. Specific version numbers, release dates, and patch availability should be verified directly with Accellion Kiteworks documentation. Organizations should consult their own risk assessment frameworks and compliance obligations when prioritizing remediation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2026-24761LOWKiteworks IDOR Vulnerability in Secure Data Forms
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-3173MEDIUMWordPress Meta Field Block Insecure Direct Object Reference (IDOR) Vulnerability