CVE-2026-28269
Published: 26 February 2026
Summary
CVE-2026-28269 is a medium-severity OS Command Injection (CWE-78) vulnerability in Accellion Kiteworks. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-28269 affects Kiteworks, a private data network (PDN), in versions prior to 9.2.0. The vulnerability lies in the command execution functionality, where authenticated users can redirect command output to arbitrary file locations. Classified as CWE-78 (OS Command Injection), it has a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N), indicating network accessibility but requiring high privileges and attack complexity.
High-privilege authenticated users can exploit this vulnerability over the network without user interaction. Successful exploitation allows overwriting critical system files, which could lead to elevated access on the affected system.
Kiteworks version 9.2.0 contains a patch addressing this issue. Additional details are available in the security advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-6j64-6fpp-9453.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8918
Vulnerability details
Kiteworks is a private data network (PDN). Prior to version 9.2.0, avulnerability in Kiteworks command execution functionality allows authenticated users to redirect command output to arbitrary file locations. This could be exploited to overwrite critical system files and gain elevated…
more
access. Version 9.2.0 contains a patch.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) in network-accessible Kiteworks app enables Unix shell command execution via output redirection to overwrite system files for privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates command-execution inputs to block arbitrary output redirection to system files.
Restricts authenticated users to only the minimal privileges needed, preventing file-overwrite commands.
Enforces access restrictions on modifications to critical system files that the vulnerability targets.