CVE-2026-29092
Received Received - Intake

Session Management Bypass in Kiteworks Email Protection Gateway

Vulnerability report for CVE-2026-29092, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-25

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description

Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-25
Last Modified
2026-03-27
Generated
2026-07-06
AI Q&A
2026-03-25
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
accellion kiteworks to 9.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Kiteworks Email Protection Gateway prior to version 9.2.1. It involves session management where users who have been blocked or disabled can still maintain active sessions. This means that even after an account is disabled, the user may continue to have access until their session naturally expires.

Impact Analysis

The vulnerability can allow unauthorized users to continue accessing the system after their accounts have been disabled. This unauthorized access persists until the session expires, potentially leading to security risks such as unauthorized data access or manipulation.

Mitigation Strategies

To mitigate this vulnerability, upgrade Kiteworks Email Protection Gateway to version 9.2.1 or later, which contains the patch addressing the session management issue.

Compliance Impact

The vulnerability in Kiteworks Email Protection Gateway allows blocked users to maintain active sessions after their accounts are disabled, enabling unauthorized access until the session expires naturally.

This unauthorized access could lead to violations of compliance requirements in standards and regulations such as GDPR and HIPAA, which mandate strict access controls and timely revocation of user privileges to protect sensitive data.

Specifically, the insufficient session expiration (CWE-613) undermines the integrity of access management, potentially allowing unauthorized modification of data, which conflicts with regulatory demands for data integrity and security.

Upgrading to version 9.2.1 or later is recommended to remediate this issue and help maintain compliance with such standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart