{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29092", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T21:54:06.707Z", "datePublished": "2026-03-25T16:59:55.033Z", "dateUpdated": "2026-03-25T17:29:41.481Z"}, "containers": {"cna": {"title": "Kiteworks Email Protection Gateway has an Insufficient Session Expiration", "problemTypes": [{"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc"}], "affected": [{"vendor": "kiteworks", "product": "Kiteworks Email Protection Gateway", "versions": [{"version": "< 9.2.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:59:55.033Z"}, "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "source": {"advisory": "GHSA-92w7-fpjr-wpxc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T17:29:30.459619Z", "id": "CVE-2026-29092", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:29:41.481Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29092", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T17:29:30.459619Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T17:29:36.886Z"}}], "cna": {"title": "Kiteworks Email Protection Gateway has an Insufficient Session Expiration", "source": {"advisory": "GHSA-92w7-fpjr-wpxc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "kiteworks", "product": "Kiteworks Email Protection Gateway", "versions": [{"status": "affected", "version": "< 9.2.1"}]}], "references": [{"url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc", "name": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T16:59:55.033Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29092", "state": "PUBLISHED", "dateUpdated": "2026-03-25T17:29:41.481Z", "dateReserved": "2026-03-03T21:54:06.707Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T16:59:55.033Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch."}], "id": "CVE-2026-29092", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T17:16:57.330", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,9.2.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Kiteworks Email Protection Gateway", "source": "cna", "vendor": "kiteworks"}, "product": "kiteworks_email_protection_gateway", "vendor": "kiteworks"}], "analysis": {"en": {"generated_at": "2026-03-25T20:07:27.318737+00:00", "value": {"mitigation_remediation": ["Upgrade Kiteworks Email Protection Gateway to version 9.2.1 or later to apply the patch that enforces session termination for disabled accounts."], "summary": {"action": "Patch Now", "impact": "Unauthorized Session Persistence"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Kiteworks Email Protection Gateway, specifically versions earlier than 9.2.1. System administrators should review deployments and ensure that any instance running a pre\u20119.2.1 version is identified.", "description_and_impact": "A flaw in the session management of Kiteworks Email Protection Gateway permits a blocked user to retain an active session after their account is disabled. When the system fails to terminate that session, the attacker can continue to access the private data network until the session times out naturally, potentially exposing confidential information. This weakness falls under session management (CWE-613) and enables unauthorized access that should have been revoked.", "risk_and_exploitability": "The CVSS score of 4.9 indicates a moderate risk, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the exploitable condition requires a user account to be blocked while a session remains active, the attack surface is limited to existing session holders. Nevertheless, blocked users can maintain access for an indeterminate period until natural session expiration, which poses a risk of continued unauthorized activity and potential data exposure."}}}}, "created": "2026-03-25T21:46:41.557747+00:00", "updated": "2026-03-26T11:34:24.790833+00:00", "vendors": ["kiteworks", "kiteworks$PRODUCT$kiteworks_email_protection_gateway"]}