CVE-2026-24755
Description
Kiteworks Secure Data Forms versions prior to 9.3.0 are vulnerable to an IDOR, allowing authenticated users to modify other users' resource permissions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kiteworks Secure Data Forms versions prior to 9.3.0 are vulnerable to an IDOR, allowing authenticated users to modify other users' resource permissions.
Vulnerability
An Insecure Direct Object Reference (IDOR) vulnerability exists in Kiteworks Secure Data Forms prior to version 9.3.0. This flaw stems from insufficient authorization checks on resource ownership, allowing an authenticated user to modify permissions on resources belonging to other users [1].
Exploitation
An authenticated user can exploit this vulnerability by manipulating requests to modify the set of collaborators for forms owned by other users. This requires the attacker to have valid user credentials and be authenticated to the Kiteworks system [1].
Impact
Successful exploitation allows an authenticated attacker to modify permissions on resources belonging to other users, potentially leading to unauthorized access or modification of sensitive data. The scope of the compromise is limited to the resources accessible by the authenticated user's account [1].
Mitigation
Kiteworks has released version 9.3.0, which addresses this vulnerability. Users are advised to upgrade to version 9.3.0 or later. The release date for version 9.3.0 is not specified in the available references [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <9.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.