CVE-2026-23638
Description
Kiteworks Secure Data Forms versions prior to 9.3.0 are vulnerable to IDOR, allowing authenticated users to modify other users' form approval flows.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kiteworks Secure Data Forms versions prior to 9.3.0 are vulnerable to IDOR, allowing authenticated users to modify other users' form approval flows.
Vulnerability
An Insecure Direct Object Reference (IDOR) vulnerability exists in Kiteworks Secure Data Forms prior to version 9.3.0. This flaw stems from insufficient authorization checks on resource ownership, allowing an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users [1].
Exploitation
An authenticated attacker can exploit this vulnerability by manipulating requests to target form configurations not owned by them. This requires the attacker to have valid user credentials and network access to the Kiteworks instance. The exploit involves bypassing authorization checks that fail to verify resource ownership before allowing modifications [1].
Impact
Successful exploitation allows an attacker to tamper with the internal approval flow configurations of forms belonging to other users. This could lead to unauthorized changes in data handling processes, potentially disrupting workflows or granting unintended access to sensitive information, depending on the nature of the altered approval flows [1].
Mitigation
Kiteworks has released version 9.3.0, which includes a patch for this vulnerability. Users are advised to upgrade to version 9.3.0 or later to remediate the issue [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <9.3.0
- Range: <9.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.