CVE-2026-29092
Received Received - Intake
Session Management Bypass in Kiteworks Email Protection Gateway

Publication date: 2026-03-25

Last updated on: 2026-03-27

Assigner: GitHub, Inc.

Description
Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-03-27
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-14
NVD
CVE-2026-29092
EUVD
EUVD-2026-15807
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
accellion kiteworks to 9.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-613 According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Kiteworks Email Protection Gateway prior to version 9.2.1. It involves session management where users who have been blocked or disabled can still maintain active sessions. This means that even after an account is disabled, the user may continue to have access until their session naturally expires.

Impact Analysis

The vulnerability can allow unauthorized users to continue accessing the system after their accounts have been disabled. This unauthorized access persists until the session expires, potentially leading to security risks such as unauthorized data access or manipulation.

Mitigation Strategies

To mitigate this vulnerability, upgrade Kiteworks Email Protection Gateway to version 9.2.1 or later, which contains the patch addressing the session management issue.

Compliance Impact

The vulnerability in Kiteworks Email Protection Gateway allows blocked users to maintain active sessions after their accounts are disabled, enabling unauthorized access until the session expires naturally.

This unauthorized access could lead to violations of compliance requirements in standards and regulations such as GDPR and HIPAA, which mandate strict access controls and timely revocation of user privileges to protect sensitive data.

Specifically, the insufficient session expiration (CWE-613) undermines the integrity of access management, potentially allowing unauthorized modification of data, which conflicts with regulatory demands for data integrity and security.

Upgrading to version 9.2.1 or later is recommended to remediate this issue and help maintain compliance with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart