CVE-2026-24761: CWE-639: Authorization Bypass Through User-Controlled Key in kiteworks Secure Data Forms
Kiteworks Secure Data Forms versions prior to 9. 3. 0 contain an authorization bypass vulnerability (CVE-2026-24761) due to insufficient checks on resource ownership. This allows an authenticated user to access metadata of resources belonging to other users. The vulnerability is classified as an Insecure Direct Object Reference (IDOR) and is addressed in version 9. 3. 0 or later. The CVSS score is 3. 7, indicating a low severity impact. No known exploits are reported in the wild, and the product is not a cloud service.
AI Analysis
Technical Summary
CVE-2026-24761 is an authorization bypass vulnerability in Kiteworks Secure Data Forms before version 9.3.0. It arises from insufficient authorization checks on resource ownership, allowing authenticated users to access metadata of other users' resources via an Insecure Direct Object Reference (CWE-639). The vulnerability has a CVSS 3.1 base score of 3.7 (low severity) with network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality impact. The issue is resolved by upgrading to Kiteworks version 9.3.0 or later.
Potential Impact
An authenticated user can access metadata of resources belonging to other users, potentially exposing sensitive information about those resources. The impact is limited to confidentiality with no integrity or availability effects. The low CVSS score reflects the limited scope and complexity required for exploitation.
Mitigation Recommendations
Upgrade Kiteworks Secure Data Forms to version 9.3.0 or later to apply the official patch that addresses this authorization bypass vulnerability. Since the product is not a cloud service, remediation depends on the user applying this upgrade. Patch status is confirmed by the vendor advisory stating the fix is included in version 9.3.0.
CVE-2026-24761: CWE-639: Authorization Bypass Through User-Controlled Key in kiteworks Secure Data Forms
Description
Kiteworks Secure Data Forms versions prior to 9. 3. 0 contain an authorization bypass vulnerability (CVE-2026-24761) due to insufficient checks on resource ownership. This allows an authenticated user to access metadata of resources belonging to other users. The vulnerability is classified as an Insecure Direct Object Reference (IDOR) and is addressed in version 9. 3. 0 or later. The CVSS score is 3. 7, indicating a low severity impact. No known exploits are reported in the wild, and the product is not a cloud service.
CVSS v3.1
Score 3.7low
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-24761 is an authorization bypass vulnerability in Kiteworks Secure Data Forms before version 9.3.0. It arises from insufficient authorization checks on resource ownership, allowing authenticated users to access metadata of other users' resources via an Insecure Direct Object Reference (CWE-639). The vulnerability has a CVSS 3.1 base score of 3.7 (low severity) with network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality impact. The issue is resolved by upgrading to Kiteworks version 9.3.0 or later.
Potential Impact
An authenticated user can access metadata of resources belonging to other users, potentially exposing sensitive information about those resources. The impact is limited to confidentiality with no integrity or availability effects. The low CVSS score reflects the limited scope and complexity required for exploitation.
Mitigation Recommendations
Upgrade Kiteworks Secure Data Forms to version 9.3.0 or later to apply the official patch that addresses this authorization bypass vulnerability. Since the product is not a cloud service, remediation depends on the user applying this upgrade. Patch status is confirmed by the vendor advisory stating the fix is included in version 9.3.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-01-26T21:06:47.867Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1e08c8e29bf47b5051e31c
Added to database: 6/1/2026, 10:33:44 PM
Last enriched: 6/1/2026, 10:49:12 PM
Last updated: 6/2/2026, 7:24:37 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.