Cyber Resilience

CVE-2026-23514

High

Published: 25 March 2026

Published
25 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0104 59.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23514 is a high-severity Improper Ownership Management (CWE-282) vulnerability in Accellion Kiteworks. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 40.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-23514 is an access control vulnerability (CWE-282) affecting Kiteworks Core, the core component of Kiteworks, a private data network (PDN). The issue impacts versions 9.2.0 and 9.2.1, enabling authenticated users to access unauthorized content. Published on 2026-03-25, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

An authenticated user with low privileges (PR:L) can exploit this vulnerability remotely over the network without user interaction. Successful exploitation allows the attacker to access content they are not authorized for, potentially leading to unauthorized data exposure, modification, or disruption of services, as reflected in the high impact ratings across confidentiality, integrity, and availability.

The Kiteworks security advisory recommends upgrading Kiteworks Core to version 9.2.2 or later to apply the patch that addresses this vulnerability. Further details are available in the advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-5gqr-cpr6-wvm5.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Kiteworks is a private data network (PDN). Versions 9.2.0 and 9.2.1 of Kiteworks Core have an access control vulnerability that allows authenticated users to access unauthorized content. Upgrade Kiteworks Core to version 9.2.2 or later to receive a patch.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Access control bypass in network-accessible app enables remote exploitation for unauthorized access/privilege escalation by low-priv authenticated users.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28269Same product: Accellion Kiteworks
CVE-2026-24782Same product: Accellion Kiteworks
CVE-2026-23636Same product: Accellion Kiteworks
CVE-2026-28270Same product: Accellion Kiteworks
CVE-2026-24750Same product: Accellion Kiteworks
CVE-2026-29092Same product: Accellion Kiteworks
CVE-2026-24751Same product: Accellion Kiteworks
CVE-2026-24752Same product: Accellion Kiteworks
CVE-2026-28272Same product: Accellion Kiteworks
CVE-2026-1264Same product class: managed file transfer

Affected Assets

accellion
kiteworks
9.2.0, 9.2.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly preventing authenticated users from accessing unauthorized content as exploited in this vulnerability.

prevent

Requires timely identification, reporting, and correction of system flaws like this access control vulnerability through patching to version 9.2.2 or later.

prevent

Employs least privilege to restrict authenticated low-privilege users to only necessary accesses, limiting the scope and impact of unauthorized content access.

References