{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23635", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.483Z", "datePublished": "2026-03-25T16:57:19.199Z", "dateUpdated": "2026-03-25T18:06:51.357Z"}, "containers": {"cna": {"title": "Kiteworks Secure Data Forms has a potential Unprotected Transport of Credentials", "problemTypes": [{"descriptions": [{"cweId": "CWE-523", "lang": "en", "description": "CWE-523: Unprotected Transport of Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f"}], "affected": [{"vendor": "kiteworks", "product": "Secure Data Forms", "versions": [{"version": "< 9.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:58:09.786Z"}, "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "source": {"advisory": "GHSA-9hw2-6qp4-3v8f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:51:55.311509Z", "id": "CVE-2026-23635", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T18:06:51.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:51:55.311509Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:52:35.550Z"}}], "cna": {"title": "Kiteworks Secure Data Forms has a potential Unprotected Transport of Credentials", "source": {"advisory": "GHSA-9hw2-6qp4-3v8f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kiteworks", "product": "Secure Data Forms", "versions": [{"status": "affected", "version": "< 9.2.1"}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f", "name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-523", "description": "CWE-523: Unprotected Transport of Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:58:09.786Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23635", "state": "PUBLISHED", "dateUpdated": "2026-03-25T18:06:51.357Z", "dateReserved": "2026-01-14T16:08:37.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T16:57:19.199Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:accellion:kiteworks:*:*:*:*:*:*:*:*", "matchCriteriaId": "30A78D6E-2376-4B2C-B4AD-499D1DF88E34", "versionEndExcluding": "9.2.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}, {"lang": "es", "value": "Kiteworks es una red de datos privada (PDN). En Kiteworks Secure Data Forms anteriores a la versi\u00f3n 9.2.1, una mala configuraci\u00f3n de los atributos de seguridad podr\u00eda potencialmente conducir a un Transporte de Credenciales No Protegido bajo ciertas circunstancias. Actualice Kiteworks a la versi\u00f3n 9.2.1 o posterior para recibir un parche."}], "id": "CVE-2026-23635", "lastModified": "2026-03-27T19:16:29.210", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T17:16:35.480", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-523"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Secure Data Forms", "source": "cna", "vendor": "kiteworks"}, "product": "secure_data_forms", "vendor": "kiteworks"}], "analysis": {"en": {"generated_at": "2026-03-27T20:28:53.682100+00:00", "value": {"mitigation_remediation": ["Upgrade Kiteworks Secure Data Forms to version 9.2.1 or later.", "Reconfigure security attributes to enforce encrypted transport of credentials.", "If upgrade is delayed, monitor network traffic for plaintext credential transmissions and isolate affected systems from untrusted networks."], "summary": {"action": "Patch", "impact": "Unprotected Transport of Credentials"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Kiteworks Secure Data Forms versions earlier than 9.2.1. Administrators managing installations of the product before the identified patch should verify whether the configuration settings may permit unencrypted credential traffic.", "description_and_impact": "A misconfiguration of security attributes in Kiteworks Secure Data Forms may allow credentials to be transmitted without encryption. This flaw, classified as CWE-523, could expose sensitive authentication data to interception, compromising confidentiality for users who rely on the platform for secure data handling.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate risk, and the EPSS score of less than 1% suggests a low probability of active exploitation. It is not listed in the CISA KEV catalog. Exploitation requires that the security attributes be improperly set; once that condition exists an attacker can capture credentials in transit on the network."}}}}, "created": "2026-03-25T21:46:43.623002+00:00", "updated": "2026-03-29T20:28:21.905948+00:00", "vendors": ["kiteworks", "kiteworks$PRODUCT$secure_data_forms"]}