CVE-2026-24761
Description
Kiteworks Secure Data Forms versions prior to 9.3.0 contain an IDOR vulnerability allowing authenticated users to access other users' resource metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kiteworks Secure Data Forms versions prior to 9.3.0 contain an IDOR vulnerability allowing authenticated users to access other users' resource metadata.
Vulnerability
An Insecure Direct Object Reference (IDOR) vulnerability exists in Kiteworks Secure Data Forms versions prior to 9.3.0. This flaw stems from insufficient authorization checks on resource ownership, allowing authenticated users to access metadata of resources belonging to other users [1].
Exploitation
An authenticated attacker can exploit this vulnerability by sending a crafted request to access resource metadata. The vulnerability is triggered due to insufficient authorization checks on resource ownership, allowing the attacker to bypass these checks and view information they should not have access to [1].
Impact
Successful exploitation of this vulnerability allows an authenticated attacker to reveal the email notification configuration and other metadata of another user's resources. This leads to unauthorized information disclosure regarding user data and system configurations [1].
Mitigation
Kiteworks has released version 9.3.0 to address this vulnerability. Users are advised to upgrade to Kiteworks version 9.3.0 or later to receive the patch. No workarounds are mentioned in the available references [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <9.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.