HIGH 7.6

CVE-2026-24782: Kiteworks SQL Injection in Secure Data Forms – Patch to 9.3.0

Kiteworks, a platform designed to securely manage private data networks, contains multiple SQL injection flaws in its Secure Data Forms feature. Prior to version 9.3.0, an authenticated user with FormBuilder role permissions can exploit these vulnerabilities to access or alter form definitions belonging to other users and potentially modify some system-wide settings. This is a privilege escalation and data exposure risk that requires prompt patching.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Weaknesses (CWE)
CWE-89
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-24782 encompasses multiple SQL injection vulnerabilities (CWE-89) within the Kiteworks Secure Data Forms module. The vulnerabilities are exploitable by authenticated attackers holding the FormBuilder role. By injecting malicious SQL, an attacker can bypass intended access controls to query form metadata and configuration of other users, as well as modify certain global parameters. The CVSS 3.1 score of 7.6 (HIGH) reflects the network-based attack vector, low complexity, and moderate impact across confidentiality, integrity, and availability. Remediation requires upgrading to version 9.3.0 or later.

Business impact

Organizations using Kiteworks face two primary risks: unauthorized disclosure of other users' form designs and business logic, and potential tampering with global configuration settings that could disrupt data workflows or governance controls. For enterprises relying on Kiteworks as a regulated data exchange platform, this vulnerability could lead to compliance violations if sensitive form metadata or user data is exposed. The ability to modify forms and settings means attackers could pivot to more destructive actions or cover tracks by altering audit-relevant configurations.

Affected systems

Kiteworks versions prior to 9.3.0 are affected. This includes all releases of the Kiteworks private data network platform before the patched version. The vulnerability is specific to the Secure Data Forms feature and requires the attacker to already possess valid credentials with FormBuilder role assignment.

Exploitability

Exploitation requires valid Kiteworks credentials and FormBuilder role permissions, making this a post-authentication attack. An insider threat or compromised account with FormBuilder access becomes an immediate vector. The low attack complexity and straightforward SQL injection technique mean exploitation can be accomplished with standard tools and moderate technical skill once access is gained. The vulnerability does not appear in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date, but the simplicity of SQL injection exploitation warrants rapid patching regardless of public exploit availability.

Remediation

Upgrade Kiteworks to version 9.3.0 or later. This is the single definitive remediation; no workarounds or mitigations are viable. Organizations should prioritize this patch in environments where FormBuilder roles are widely distributed or where form definitions contain sensitive business logic.

Patch guidance

Verify that your current Kiteworks deployment version by checking the Administration console or support dashboard. Download and deploy version 9.3.0 or any later release from Accellion's official channels. Test the upgrade in a staging environment to ensure compatibility with custom form definitions and integrations before production rollout. Review release notes for any compatibility notes or procedural changes. Post-upgrade, confirm that form access controls function as intended by validating that FormBuilder users cannot access other users' forms.

Detection guidance

Monitor Kiteworks application logs for SQL error messages or unusual query patterns within the Secure Data Forms module, particularly those originating from FormBuilder-authenticated sessions. Look for requests containing SQL metacharacters (single quotes, dashes, keywords like UNION or SELECT) in form definition parameters. Network intrusion detection systems should flag suspicious SQL syntax in HTTP POST/GET parameters targeting form management endpoints. Consider implementing custom monitoring rules that alert on FormBuilder users accessing form metadata outside their own organizational unit or role scope.

Why prioritize this

Although not yet in CISA's KEV catalog, the combination of HIGH CVSS score, straightforward SQL injection attack surface, and potential for lateral movement or configuration tampering makes this a near-term priority. FormBuilder role distribution across teams increases the likelihood of compromised credentials. Any organization with active Kiteworks deployments should treat this as urgent and schedule patching within the next maintenance window.

Risk score, explained

The CVSS 3.1 score of 7.6 reflects: (1) Network-based attack vector requiring no physical or local access; (2) Low attack complexity—SQL injection is a well-understood exploitation technique; (3) Low privilege requirement—only FormBuilder role needed, not admin; (4) High integrity impact—ability to modify form definitions and global settings; (5) Low confidentiality impact—leakage of form metadata and configuration rather than end-user data at scale; (6) Low availability impact—no direct denial of service vector described. The overall HIGH severity rating appropriately flags this as a serious but not critical threat requiring swift remediation.

Frequently asked questions

Do we need to be running Kiteworks on-premise to be affected?

No. CVE-2026-24782 affects the Kiteworks application itself regardless of deployment model—on-premise, cloud-hosted, or hybrid. If your instance is running a version prior to 9.3.0, you are potentially vulnerable if FormBuilder users are active.

What if we don't have any users assigned the FormBuilder role?

If no users hold the FormBuilder role, the attack surface is significantly reduced. However, most Kiteworks deployments grant this role to content administrators and business process owners. Verify your role assignments in the Administration panel; even inactive or dormant accounts with FormBuilder access pose a risk if credentials are compromised.

Can we patch Kiteworks without downtime?

Upgrade procedures vary by deployment architecture. Review Accellion's upgrade documentation for your specific environment. Many organizations can perform rolling updates or schedule a brief maintenance window. Test the upgrade path in a non-production environment first to confirm compatibility with your forms and integrations.

What should we do if we suspect exploitation of this vulnerability occurred?

Immediately rotate credentials for all FormBuilder-role accounts, audit form definition modification history if logs are available, and review any recent changes to form designs or global configuration settings. Engage your incident response team and consider forensic analysis of application logs and database transaction records to identify unauthorized changes.

This analysis is based on publicly disclosed CVE data and vendor advisories current as of the publication date. Organizations should verify patch version numbers and release dates against official Accellion/Kiteworks documentation. Actual risk may vary depending on internal role distribution, network segmentation, and monitoring capabilities. This explainer is for informational purposes and does not constitute legal, compliance, or specific remediation advice; consult your security team and vendor for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).