{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23635", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.483Z", "datePublished": "2026-03-25T16:57:19.199Z", "dateUpdated": "2026-03-25T18:06:51.357Z"}, "containers": {"cna": {"title": "Kiteworks Secure Data Forms has a potential Unprotected Transport of Credentials", "problemTypes": [{"descriptions": [{"cweId": "CWE-523", "lang": "en", "description": "CWE-523: Unprotected Transport of Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f"}], "affected": [{"vendor": "kiteworks", "product": "Secure Data Forms", "versions": [{"version": "< 9.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:58:09.786Z"}, "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "source": {"advisory": "GHSA-9hw2-6qp4-3v8f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:51:55.311509Z", "id": "CVE-2026-23635", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T18:06:51.357Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23635", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:51:55.311509Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:52:35.550Z"}}], "cna": {"title": "Kiteworks Secure Data Forms has a potential Unprotected Transport of Credentials", "source": {"advisory": "GHSA-9hw2-6qp4-3v8f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "kiteworks", "product": "Secure Data Forms", "versions": [{"status": "affected", "version": "< 9.2.1"}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f", "name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-523", "description": "CWE-523: Unprotected Transport of Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:58:09.786Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23635", "state": "PUBLISHED", "dateUpdated": "2026-03-25T18:06:51.357Z", "dateReserved": "2026-01-14T16:08:37.483Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T16:57:19.199Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). In Kiteworks Secure Data Forms prior to version 9.2.1, a misconfiguration of the security attributes could potentially lead to Unprotected Transport of Credentials under certain circumstances. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "id": "CVE-2026-23635", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:35.480", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-9hw2-6qp4-3v8f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-523"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Secure Data Forms", "source": "cna", "vendor": "kiteworks"}, "product": "secure_data_forms", "vendor": "kiteworks"}], "analysis": {"en": {"generated_at": "2026-03-25T19:08:41.220283+00:00", "value": {"mitigation_remediation": ["Upgrade Kiteworks Secure Data Forms to version 9.2.1 or later."], "summary": {"action": "Immediate Patch", "impact": "Unprotected Transport of Credentials"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Kiteworks Secure Data Forms application manufactured by Kiteworks. Installed versions earlier than 9.2.1 are susceptible. No additional vendors or products are listed, and the advisory does not specify a broader scope beyond Kiteworks secure data forms.\n", "description_and_impact": "Kiteworks Secure Data Forms relies on proper configuration of security attributes to protect credentials during transmission. In versions prior to 9.2.1, a misconfiguration can cause credentials to be sent over an unencrypted channel, exposing them to interception. The weakness aligns with CWE\u2011523, where sensitive information is not transmitted securely, potentially compromising confidentiality and enabling credential theft.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate to high severity level. The EPSS score is not provided, so the likelihood of immediate exploitation cannot be quantified. The vulnerability is not included in the CISA KEV catalog, suggesting it is not a widely exploited issue yet. Exploitation requires an attacker to discover the misconfigured security settings and then intercept credentials during transmission. The attack vector is inferred to be a configuration-based flaw rather than an attacker-controlled code path. Given the need for misconfiguration, threating conditions may be limited to environments where administrators have not applied the suggested patch."}}}}, "created": "2026-03-25T21:46:43.623002+00:00", "updated": "2026-03-26T11:34:26.591483+00:00", "vendors": ["kiteworks", "kiteworks$PRODUCT$secure_data_forms"]}