CVE-2026-24761: Kiteworks IDOR Vulnerability in Secure Data Forms
CVE-2026-24761 is an authorization flaw in Kiteworks Secure Data Forms that allows authenticated users to view metadata belonging to other users. Because the system doesn't properly verify who owns a resource before allowing access, a legitimate user can craft requests to retrieve information about files and documents they shouldn't see. The vulnerability requires an attacker to already have valid credentials and involves a higher complexity of exploitation, which limits its risk profile. This affects Kiteworks versions before 9.3.0.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.7 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is an Insecure Direct Object Reference (IDOR) vulnerability stemming from insufficient authorization checks on resource ownership validation in Kiteworks Secure Data Forms. An authenticated attacker can enumerate or directly reference resource identifiers belonging to other users and retrieve their associated metadata without passing ownership or permission checks. The vulnerability exists in Kiteworks prior to version 9.3.0. While the CVSS vector indicates low attack complexity requirements at the network level, the actual exploitation requires a valid authentication context and involves guessing or discovering valid resource identifiers, which raises practical exploitation barriers. The impact is confined to confidentiality; no data modification or service disruption is possible.
Business impact
For organizations using Kiteworks as a private data network, this vulnerability introduces a metadata disclosure risk. Users may inadvertently expose information such as document names, file structures, ownership details, or other metadata of colleagues' sensitive data. In regulated environments (healthcare, finance, legal), metadata disclosure can trigger compliance concerns even if file contents remain protected. The risk is primarily reputational and compliance-related rather than operational. Organizations with strict data segregation policies or those handling highly classified information internally should treat this with appropriate urgency.
Affected systems
Kiteworks versions prior to 9.3.0 are vulnerable. The product affected is Accellion Kiteworks, a private data network platform used for secure file sharing and collaboration. No other Accellion or third-party products are mentioned as affected in the available information.
Exploitability
This vulnerability requires an attacker to already possess valid Kiteworks credentials, which significantly restricts the attack surface to authenticated users or compromised accounts. The attacker must then discover or infer valid resource identifiers (such as file IDs or object references) and attempt to access their metadata through direct object references. The CVSS score of 3.7 (LOW severity) reflects these constraints. Real-world exploitation is unlikely to be opportunistic; it typically represents insider risk or would require account compromise. Automated scanning and exploitation tools are not practical for this class of vulnerability without insider knowledge of resource naming schemes.
Remediation
Upgrade Kiteworks to version 9.3.0 or later. This version includes fixes for the authorization checks in Secure Data Forms. Organizations should verify the upgrade path with Accellion documentation, particularly in clustered or high-availability deployments. Testing in a staging environment is recommended before production deployment to ensure no regression in data form workflows or user permissions.
Patch guidance
Update Kiteworks to version 9.3.0 or later. Consult the Accellion security advisory and release notes for any prerequisites, compatibility notes, or rollback procedures. Verify the patch by confirming the installed version matches or exceeds 9.3.0 through the Kiteworks administrative interface. If you are on a support contract, coordinate the upgrade timing with your Accellion account team to minimize disruption to data form workflows.
Detection guidance
Detection of active exploitation is challenging without enhanced logging. Monitor authentication logs for unusual patterns of cross-user resource access or repeated failed authorization attempts. If Kiteworks offers detailed audit logging for Secure Data Forms, examine logs for users accessing resource metadata outside their assigned projects or teams. Network-level detection is impractical. Internal security testing should focus on verifying that authorization checks properly validate resource ownership before returning metadata to authenticated users. Automated IDOR scanning tools may identify the flaw if run in a testing environment with multiple user accounts.
Why prioritize this
This vulnerability warrants prioritized patching due to its fundamental nature—unauthorized disclosure of user metadata in a data network platform is a core trust violation—but the practical urgency is moderated by its LOW CVSS score and authentication requirement. Organizations should prioritize this patch alongside other Kiteworks updates within a normal maintenance window. Do not deprioritize it based solely on the low score; consider your user base size, data sensitivity, and insider threat posture when deciding patch timing.
Risk score, explained
The CVSS 3.1 score of 3.7 reflects a LOW severity rating. The score is driven by: (1) requirement for prior authentication (PR:N overridden by AC:H in practical terms), (2) network-based attack vector (AV:N) balanced by high attack complexity (AC:H), and (3) impact limited to confidentiality of metadata only (C:L, I:N, A:N). The score appropriately penalizes the requirement to be authenticated and the need for non-trivial attack complexity. However, CVSS does not fully capture the business context of metadata disclosure in regulated environments or the potential for insider abuse.
Frequently asked questions
If we're on Kiteworks 9.2.x, are we definitely vulnerable?
Yes. Any Kiteworks version prior to 9.3.0 contains the insufficient authorization check. Version 9.3.0 and later include the fix. You should plan an upgrade to 9.3.0 or later.
What happens if an attacker exploits this? Will they see file contents?
No. The vulnerability allows access to metadata only—information like document names, file structures, and ownership details. File contents remain protected by separate encryption and access controls. That said, metadata can still be sensitive in regulated industries.
Do we need administrator access to exploit this, or can any logged-in user do it?
Any authenticated user of Kiteworks can potentially exploit this. They do not need admin rights. This makes it an insider risk concern or a threat if user accounts are compromised through credential theft or phishing.
Will this show up in our vulnerability scanner?
Unauthenticated scanners will not detect it. You may see it flagged if you use authenticated scanning against Kiteworks or if Accellion itself has published a detection signature. Manual testing with multiple user accounts in a staging environment is the most reliable detection method.
This analysis is provided for informational purposes to assist security teams in vulnerability assessment and patch planning. It is not a substitute for independent security review or vendor guidance. Organizations should verify all patch versions, compatibility, and deployment procedures against official Accellion documentation and security advisories before applying updates. The CVSS score and threat assessment reflect available data as of the analysis date and may be updated by NIST or the vendor. No liability is accepted for decisions made based on this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance
- CVE-2026-24753MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch to 9.3.0
- CVE-2026-24755MEDIUMKiteworks IDOR Authorization Flaw in Secure Data Forms
- CVE-2026-24756MEDIUMKiteworks IDOR Vulnerability – Unauthorized Data Modification Risk
- CVE-2025-14772HIGHABB T-MAC Plus Authorization Bypass (CVSS 8.8)
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability