CVE-2026-24782: Kiteworks SQL Injection in Secure Data Forms – Patch to 9.3.0
Kiteworks, a platform designed to securely manage private data networks, contains multiple SQL injection flaws in its Secure Data Forms feature. Prior to version 9.3.0, an authenticated user with FormBuilder role permissions can exploit these vulnerabilities to access or alter form definitions belonging to other users and potentially modify some system-wide settings. This is a privilege escalation and data exposure risk that requires prompt patching.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.6 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
- Weaknesses (CWE)
- CWE-89
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-24782 encompasses multiple SQL injection vulnerabilities (CWE-89) within the Kiteworks Secure Data Forms module. The vulnerabilities are exploitable by authenticated attackers holding the FormBuilder role. By injecting malicious SQL, an attacker can bypass intended access controls to query form metadata and configuration of other users, as well as modify certain global parameters. The CVSS 3.1 score of 7.6 (HIGH) reflects the network-based attack vector, low complexity, and moderate impact across confidentiality, integrity, and availability. Remediation requires upgrading to version 9.3.0 or later.
Business impact
Organizations using Kiteworks face two primary risks: unauthorized disclosure of other users' form designs and business logic, and potential tampering with global configuration settings that could disrupt data workflows or governance controls. For enterprises relying on Kiteworks as a regulated data exchange platform, this vulnerability could lead to compliance violations if sensitive form metadata or user data is exposed. The ability to modify forms and settings means attackers could pivot to more destructive actions or cover tracks by altering audit-relevant configurations.
Affected systems
Kiteworks versions prior to 9.3.0 are affected. This includes all releases of the Kiteworks private data network platform before the patched version. The vulnerability is specific to the Secure Data Forms feature and requires the attacker to already possess valid credentials with FormBuilder role assignment.
Exploitability
Exploitation requires valid Kiteworks credentials and FormBuilder role permissions, making this a post-authentication attack. An insider threat or compromised account with FormBuilder access becomes an immediate vector. The low attack complexity and straightforward SQL injection technique mean exploitation can be accomplished with standard tools and moderate technical skill once access is gained. The vulnerability does not appear in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date, but the simplicity of SQL injection exploitation warrants rapid patching regardless of public exploit availability.
Remediation
Upgrade Kiteworks to version 9.3.0 or later. This is the single definitive remediation; no workarounds or mitigations are viable. Organizations should prioritize this patch in environments where FormBuilder roles are widely distributed or where form definitions contain sensitive business logic.
Patch guidance
Verify that your current Kiteworks deployment version by checking the Administration console or support dashboard. Download and deploy version 9.3.0 or any later release from Accellion's official channels. Test the upgrade in a staging environment to ensure compatibility with custom form definitions and integrations before production rollout. Review release notes for any compatibility notes or procedural changes. Post-upgrade, confirm that form access controls function as intended by validating that FormBuilder users cannot access other users' forms.
Detection guidance
Monitor Kiteworks application logs for SQL error messages or unusual query patterns within the Secure Data Forms module, particularly those originating from FormBuilder-authenticated sessions. Look for requests containing SQL metacharacters (single quotes, dashes, keywords like UNION or SELECT) in form definition parameters. Network intrusion detection systems should flag suspicious SQL syntax in HTTP POST/GET parameters targeting form management endpoints. Consider implementing custom monitoring rules that alert on FormBuilder users accessing form metadata outside their own organizational unit or role scope.
Why prioritize this
Although not yet in CISA's KEV catalog, the combination of HIGH CVSS score, straightforward SQL injection attack surface, and potential for lateral movement or configuration tampering makes this a near-term priority. FormBuilder role distribution across teams increases the likelihood of compromised credentials. Any organization with active Kiteworks deployments should treat this as urgent and schedule patching within the next maintenance window.
Risk score, explained
The CVSS 3.1 score of 7.6 reflects: (1) Network-based attack vector requiring no physical or local access; (2) Low attack complexity—SQL injection is a well-understood exploitation technique; (3) Low privilege requirement—only FormBuilder role needed, not admin; (4) High integrity impact—ability to modify form definitions and global settings; (5) Low confidentiality impact—leakage of form metadata and configuration rather than end-user data at scale; (6) Low availability impact—no direct denial of service vector described. The overall HIGH severity rating appropriately flags this as a serious but not critical threat requiring swift remediation.
Frequently asked questions
Do we need to be running Kiteworks on-premise to be affected?
No. CVE-2026-24782 affects the Kiteworks application itself regardless of deployment model—on-premise, cloud-hosted, or hybrid. If your instance is running a version prior to 9.3.0, you are potentially vulnerable if FormBuilder users are active.
What if we don't have any users assigned the FormBuilder role?
If no users hold the FormBuilder role, the attack surface is significantly reduced. However, most Kiteworks deployments grant this role to content administrators and business process owners. Verify your role assignments in the Administration panel; even inactive or dormant accounts with FormBuilder access pose a risk if credentials are compromised.
Can we patch Kiteworks without downtime?
Upgrade procedures vary by deployment architecture. Review Accellion's upgrade documentation for your specific environment. Many organizations can perform rolling updates or schedule a brief maintenance window. Test the upgrade path in a non-production environment first to confirm compatibility with your forms and integrations.
What should we do if we suspect exploitation of this vulnerability occurred?
Immediately rotate credentials for all FormBuilder-role accounts, audit form definition modification history if logs are available, and review any recent changes to form designs or global configuration settings. Engage your incident response team and consider forensic analysis of application logs and database transaction records to identify unauthorized changes.
This analysis is based on publicly disclosed CVE data and vendor advisories current as of the publication date. Organizations should verify patch version numbers and release dates against official Accellion/Kiteworks documentation. Actual risk may vary depending on internal role distribution, network segmentation, and monitoring capabilities. This explainer is for informational purposes and does not constitute legal, compliance, or specific remediation advice; consult your security team and vendor for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access