Skip to main content

Progress Sitefinity CVE-2026-7198

| EUVDEUVD-2026-33919 CRITICAL
Improper Access Control (CWE-284)
2026-06-02 security@progress.com GHSA-9pjg-65cc-3h57
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 16:01 EUVD
Analysis Generated
Jun 02, 2026 - 14:31 vuln.today

DescriptionCVE.org

CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.

AnalysisAI

Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to reach restricted content via the product's web services, leading to full compromise of confidentiality, integrity, and availability. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects trivial network-reachable exploitation, and Progress has issued a coordinated advisory covering this and four sibling CVEs; no public exploit identified at time of analysis.

Technical ContextAI

Progress Sitefinity is a .NET-based digital experience / content management platform that exposes administrative and content APIs through web service endpoints. The flaw is classified as CWE-284 (Improper Access Control), meaning an authorization decision in one or more of these web service handlers fails to enforce the expected restriction - typically because an endpoint either omits an authorization attribute, trusts a client-controlled identifier, or evaluates permissions against the wrong principal. Because Sitefinity's web services are the same surface used for content management and configuration, a broken access check there directly maps to read/write access on otherwise protected resources rather than only data disclosure.

RemediationAI

Vendor-released patch: Progress Sitefinity 15.4.8630 - upgrade 15.4.8623 installations to that build using the May 2026 Sitefinity Security Advisory at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026, which also addresses CVE-2026-7312, CVE-2026-7195, CVE-2026-7201, and CVE-2026-7313 in the same release. If patching cannot occur immediately, restrict network reachability of the Sitefinity web services to trusted management networks via firewall or WAF rules and block external access to the /Sitefinity/Services/ and related service endpoints - note this will break any legitimate external integrations or headless front-ends that consume those APIs, so inventory consumers first. Increase monitoring on the web service paths for anomalous unauthenticated requests and unexpected content reads or writes until the upgrade is applied.

CVE-2018-17055 HIGH POC
7.5 Sep 28

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Ra

CVE-2026-7312 CRITICAL
10.0 Jun 02

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve pla

CVE-2023-29375 CRITICAL
9.8 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2019-17392 CRITICAL
9.8 Nov 26

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is

CVE-2026-7195 HIGH
8.8 Jun 02

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenti

CVE-2026-7201 HIGH
8.8 Jun 02

Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to

CVE-2026-7313 HIGH
8.7 Jun 02

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to re

CVE-2024-1632 MEDIUM
6.5 Feb 28

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrati

CVE-2019-7215 MEDIUM
6.5 Jun 06

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this v

CVE-2024-1636 MEDIUM
5.4 Feb 28

Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is r

CVE-2023-29376 MEDIUM
5.4 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2023-6784 MEDIUM
4.3 Dec 20

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium sever

Share

CVE-2026-7198 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy