How is CVE-2026-24782 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the Kiteworks service via HTTP/HTTPS. Authentication (required): The attacker must hold a valid account with the FormBuilder role; any account granted that role is sufficient. Victim interaction (not-required): No victim action is needed; the attacker sends crafted requests directly to the service. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configuration.

What is the impact of CVE-2026-24782?

Reads other users' form definitions, potentially exposing field layouts, validation rules, and any data embedded in form configurations. Reads global configuration parameters stored in the database, which may include application settings or integration credentials. Modifies other users' form definitions, allowing an attacker to alter form behavior or inject malicious field configurations. Modifies global configuration parameters, enabling persistent tampering with application-wide settings.

Back to search

HIGHCVE-2026-24782Published 2026-06-01Modified 2026-06-02CNA GitHub_M

CVE-2026-24782: Kiteworks Secure Data Forms has a SQL Injection vulnerability

Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

CVSS v3.1: 7.6
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

SQL injection in Kiteworks Secure Data Forms allows an authenticated attacker holding the FormBuilder role to manipulate SQL queries sent to the underlying database. The vulnerability is reachable over the network and requires no victim interaction, but does require a low-privilege account with the FormBuilder role. Successful exploitation lets the attacker read other users' form definitions and global configuration parameters, or overwrite them. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Kiteworks Secure Data Forms. Any image running a Kiteworks version below 9.3.0 will surface as affected.

Available

Triage

HarborGuard scores this finding at CVSS 7.6 (High) and applies per-environment compliance policy weighting before routing the alert to the appropriate team inbox within each customer organization. Triage context includes the specific affected component (Secure Data Forms) and the privilege level required to exploit it (FormBuilder role).

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at version 9.3.0 or later the moment the upstream release is confirmed. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, so the attacker must be able to reach the Kiteworks service via HTTP/HTTPS.
AuthenticationRequired
The attacker must hold a valid account with the FormBuilder role; any account granted that role is sufficient.
Victim interactionNot required
No victim action is needed; the attacker sends crafted requests directly to the service.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configuration.

Blast Radius

Reads other users' form definitions, potentially exposing field layouts, validation rules, and any data embedded in form configurations.
Reads global configuration parameters stored in the database, which may include application settings or integration credentials.
Modifies other users' form definitions, allowing an attacker to alter form behavior or inject malicious field configurations.
Modifies global configuration parameters, enabling persistent tampering with application-wide settings.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked and matched against all images containing Kiteworks Secure Data Forms below version 9.3.0. Because no upstream patch has been published yet, HarborGuard monitors the advisory on every ingest cycle. The moment an upstream fix is confirmed, a patched-image rebuild will become available, and customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads automatically. In the meantime, compensating controls worth considering include network-policy rules that restrict access to the Kiteworks service to trusted internal subnets only, tightening FormBuilder role assignments to the minimum necessary set of accounts, and egress filtering to limit any outbound data paths the SQL injection payload might exploit.

See how HarborGuard automates this

Affected packages

kiteworks / Secure Data Forms
< 9.3.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L

References

https://github.com/kiteworks/security-advisories/security/advisories/GHSA-849r-gm3r-4v5c

Metrics

Get notified