CVE-2026-29092

MEDIUM 4.9

Kiteworks Email Protection Gateway has an Insufficient Session Expiration

CVSS Score

4.9

EPSS Score

0.0%

EPSS Percentile

0th

Kiteworks is a private data network (PDN). Prior to version 9.2.1, a vulnerability in Kiteworks Email Protection Gateway session management allows blocked users to maintain active sessions after their account is disabled. This could allow unauthorized access to continue until the session naturally expires. Upgrade Kiteworks to version 9.2.1 or later to receive a patch.

CWE	CWE-613
Vendor	kiteworks
Product	kiteworks email protection gateway
Published	Mar 25, 2026
Last Updated	Mar 25, 2026

Stay Ahead of the Next One

Get instant alerts for kiteworks kiteworks email protection gateway

Be the first to know when new medium vulnerabilities affecting kiteworks kiteworks email protection gateway are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

kiteworks / Kiteworks Email Protection Gateway

< 9.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/kiteworks/security-advisories/security/advisories/GHSA-92w7-fpjr-wpxc