CVE-2026-24761 Kiteworks Secure Data Forms is vulnerable to Authorization Bypass Through User-Controlled Key

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource...

EUVD-2026-33840

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource...

CVE-2026-24761

The CVE-2026-24761 entry concerns Kiteworks Secure Data Forms prior to version 9.3.0, where an Insecure Direct Object Reference (IDOR) allows an authenticated user to access metadata of resources belonging to other users due to insufficient ownership checks. Affected product is Kiteworks Secure D...

CVE-2026-24761

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource...

PT-2026-45653

Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource...

PT-2026-25775

While testing the OAuth Proxy implementation, it was noticed that the server does not properly respect the resource parameter submitted by the client in the authorization and token request. Instead of issuing the token explicitly for this MCP server, the token is issued for the base url passed to...

Denial Of Service (DoS)

github.com/siderolabs/omni is vulnerable to Denial of service DoS. The vulnerability is due to improper validation of the resource metadata field in the isSensitiveSpec function, followed by an unchecked call to CreateResource, which allows an attacker to send empty create/update requests...

FastMCP Auth Integration Allows for Confused Deputy Account Takeover

Summary FastMCP documentation covers the scenario where it is possible to use Entra ID or other providers for authentication. In this context, because Entra ID does not support Dynamic Client Registration DCR, the FastMCP-hosted MCP server is acting as the authorization provider, as declared in t...