CVE-2026-29092

Medium

Published: 25 March 2026

Published

25 March 2026

Modified

27 March 2026

KEV Added

—

Patch

—

CVSS Score 4.9 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0005 14.2th percentile

Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-29092 is a medium-severity Insufficient Session Expiration (CWE-613) vulnerability in Accellion Kiteworks. Its CVSS base score is 4.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 14.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-12 Session Termination good match

prevent

Mandates automatic termination of user sessions upon organization-defined trigger events such as account disablement, directly preventing continued unauthorized access after blocking.

AC-2 Account Management partial match

prevent

Requires timely disablement and management of user accounts, which supports invalidation of associated sessions to mitigate persistent access post-disablement.

SI-2 Flaw Remediation good match

preventrecover

Ensures identification, reporting, and correction of flaws like insufficient session expiration through timely patching, as recommended for this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1550.004 Web Session Cookie Lateral Movement

Adversaries can use stolen session cookies to authenticate to web applications and services.

attack.mitre.org →

Why these techniques?

Directly enables continued abuse of disabled high-priv accounts via still-valid web sessions (T1078 Valid Accounts + T1550.004 Web Session Cookie).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until…

the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.

Deeper analysisAI

CVE-2026-29092 is a session management vulnerability in the Kiteworks Email Protection Gateway component of Kiteworks, a private data network (PDN). Prior to version 9.2.1, the flaw allows users whose accounts have been blocked or disabled to retain active sessions, enabling continued access until the sessions naturally expire. The vulnerability is classified under CWE-613 (Insufficient Session Expiration) with a CVSS v3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N), indicating network accessibility, low attack complexity, and high-privilege requirements but primarily impacting integrity.

Exploitation requires high privileges (PR:H), targeting authenticated users with administrative or elevated roles whose accounts are subsequently disabled. An attacker with such an account could maintain unauthorized access to Kiteworks resources post-disablement, potentially performing integrity-modifying actions like altering data or configurations until session timeouts occur, without needing user interaction or affecting confidentiality or availability.

The Kiteworks security advisory recommends upgrading to version 9.2.1 or later, where the patch addresses the session invalidation issue upon account disablement. Additional details are available in the GitHub Security Advisory at https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc.