CVE-2026-29092 MEDIUM

CVE-2026-29092: Kiteworks Email Protection Gateway has an Insufficient Session Expiration

Vendor Kiteworks
Product Kiteworks Email Protection Gateway
Weakness CWE-613 · Insufficient session expiration
Published March 25, 2026
Last update March 25, 2026

CVSS base score

4.9/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.

Key dates

02Disclosure timeline

March 25, 2026 CVE published
March 25, 2026 Record updated