CVE-2026-23635
Unprotected Credential Transport in Kiteworks Secure Data Forms
Publication date: 2026-03-25
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| accellion | kiteworks | to 9.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-523 | Login pages do not use adequate measures to protect the user name and password while they are in transit from the client to the server. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23635 affects Kiteworks Secure Data Forms versions prior to 9.2.1 and involves a potential vulnerability related to the unprotected transport of credentials.
Specifically, a misconfiguration in the security attributes can lead to credentials (such as usernames and passwords) being transmitted without adequate protection under certain conditions.
This vulnerability is classified under CWE-523, indicating that login pages do not sufficiently secure credentials during transit from client to server.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive data, specifically user credentials, because they may be transmitted without proper protection.
The CVSS score indicates a moderate severity with a high confidentiality impact, meaning attackers could potentially intercept login credentials remotely without needing authentication or user interaction.
While the integrity impact is low and there is no impact on availability, the exposure of credentials can lead to further security breaches or unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Kiteworks Secure Data Forms to version 9.2.1 or later.
This upgrade corrects the security misconfiguration that leads to unprotected transport of credentials, ensuring that usernames and passwords are properly protected during transmission.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Kiteworks Secure Data Forms prior to version 9.2.1 involves unprotected transport of credentials, which can lead to unauthorized disclosure of sensitive data.
Such unauthorized disclosure of sensitive information, including usernames and passwords, can negatively impact compliance with data protection standards and regulations like GDPR and HIPAA, which require secure handling and transmission of personal and sensitive data.
Failure to protect credentials during transmission may result in violations of these regulations' requirements for confidentiality and data security.