CVE-2026-23635
Received Received - Intake
Unprotected Credential Transport in Kiteworks Secure Data Forms

Publication date: 2026-03-25

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23635
EUVD
EUVD-2026-15540
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
accellion kiteworks to 9.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-523 Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23635 affects Kiteworks Secure Data Forms versions prior to 9.2.1 and involves a potential vulnerability related to the unprotected transport of credentials.

Specifically, a misconfiguration in the security attributes can lead to credentials (such as usernames and passwords) being transmitted without adequate protection under certain conditions.

This vulnerability is classified under CWE-523, indicating that login pages do not sufficiently secure credentials during transit from client to server.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive data, specifically user credentials, because they may be transmitted without proper protection.

The CVSS score indicates a moderate severity with a high confidentiality impact, meaning attackers could potentially intercept login credentials remotely without needing authentication or user interaction.

While the integrity impact is low and there is no impact on availability, the exposure of credentials can lead to further security breaches or unauthorized access.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Kiteworks Secure Data Forms to version 9.2.1 or later.

This upgrade corrects the security misconfiguration that leads to unprotected transport of credentials, ensuring that usernames and passwords are properly protected during transmission.

Compliance Impact

The vulnerability in Kiteworks Secure Data Forms prior to version 9.2.1 involves unprotected transport of credentials, which can lead to unauthorized disclosure of sensitive data.

Such unauthorized disclosure of sensitive information, including usernames and passwords, can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require secure handling and transmission of personal and sensitive data.

Failure to protect credentials during transmission may result in violations of these regulations' requirements for confidentiality and data security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart