{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23514", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-13T18:22:43.979Z", "datePublished": "2026-03-25T14:19:01.421Z", "dateUpdated": "2026-03-25T14:45:43.015Z"}, "containers": {"cna": {"title": "Kiteworks Core before 9.2.2 is vulnerable to Improper Ownership Management", "problemTypes": [{"descriptions": [{"cweId": "CWE-282", "lang": "en", "description": "CWE-282: Improper Ownership Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5"}], "affected": [{"vendor": "kiteworks", "product": "core", "versions": [{"version": ">= 9.2.0, < 9.2.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T14:19:01.421Z"}, "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch."}], "source": {"advisory": "GHSA-5gqr-cpr6-wvm5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:45:07.568054Z", "id": "CVE-2026-23514", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:45:43.015Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23514", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:45:07.568054Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:45:31.918Z"}}], "cna": {"title": "Kiteworks Core before 9.2.2 is vulnerable to Improper Ownership Management", "source": {"advisory": "GHSA-5gqr-cpr6-wvm5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kiteworks", "product": "core", "versions": [{"status": "affected", "version": ">= 9.2.0, < 9.2.2"}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5", "name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-282", "description": "CWE-282: Improper Ownership Management"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T14:19:01.421Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23514", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:45:43.015Z", "dateReserved": "2026-01-13T18:22:43.979Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T14:19:01.421Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:accellion:kiteworks:9.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E39C1D0F-1FB2-424A-9EE4-5B653A1AC66E", "vulnerable": true}, {"criteria": "cpe:2.3:a:accellion:kiteworks:9.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "A06208F4-EF54-43E5-84D8-144173AA604A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch."}, {"lang": "es", "value": "Kiteworks es una red de datos privada (PDN). Las versiones 9.2.0 y 9.2.1 de Kiteworks Core tienen una vulnerabilidad de control de acceso que permite a los usuarios autenticados acceder a contenido no autorizado. Actualice Kiteworks Core a la versi\u00f3n 9.2.2 o posterior para recibir un parche."}], "id": "CVE-2026-23514", "lastModified": "2026-03-27T18:52:37.110", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T15:16:37.967", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-282"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.2.0,9.2.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "core", "source": "cna", "vendor": "kiteworks"}, "product": "core", "vendor": "kiteworks"}], "analysis": {"en": {"generated_at": "2026-03-27T20:29:44.058322+00:00", "value": {"mitigation_remediation": ["Upgrade Kiteworks Core to version 9.2.2 or later.", "Verify that the new version includes the proper ownership controls.", "Monitor for any further advisories from Kiteworks or Accellion."], "summary": {"action": "Patch upgrade", "impact": "Unauthorized data access"}, "threat_synthesis": {"affected_systems": "The affected product is Accellion Kiteworks Core, specifically versions 9.2.0 and 9.2.1. These are versions of the private data network software. Users running these releases are susceptible to the flaw until a patch is applied.", "description_and_impact": "Kiteworks Core versions 9.2.0 and 9.2.1 contain an access control flaw that permits authenticated users to view data they do not own. This improper ownership management can lead to the disclosure of confidential information. The vulnerability is categorized as CWE-282 and carries a CVSS score of 8.8, indicating high severity.", "risk_and_exploitability": "The CVSS score of 8.8 reflects a high risk, while the EPSS of less than 1\u202f% suggests limited exploitation in the wild. The vulnerability requires authentication, meaning users with valid credentials could abuse the flaw. It is not currently listed in the CISA KEV catalog. Because the exploit path is purely internal and limited to legitimate accounts, the likelihood of attack is moderate, but the potential for sensitive data exposure warrants prompt remediation."}}}}, "created": "2026-03-25T21:31:08.616214+00:00", "updated": "2026-03-29T20:28:27.319857+00:00", "vendors": ["kiteworks", "kiteworks$PRODUCT$core"]}