CVE-2026-23636
Unrestricted File Upload Vulnerability in Kiteworks Secure Data Forms
Publication date: 2026-03-25
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| accellion | kiteworks | to 9.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in Kiteworks Secure Data Forms affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-23636 is a vulnerability in Kiteworks Secure Data Forms versions prior to 9.2.1. It involves an Unrestricted Upload of File with Dangerous Type due to missing validation. This means that a form manager can upload files with dangerous types without any restriction, potentially exploiting the system.
How can this vulnerability impact me? :
This vulnerability can be exploited remotely over the network with low attack complexity but requires high privileges. It does not impact confidentiality but can cause high integrity loss and low availability impact. Essentially, an attacker with the necessary privileges could upload harmful files that may alter or disrupt the system's integrity and availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Kiteworks Secure Data Forms to version 9.2.1 or later, where the missing validation issue has been patched.