Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.
AnalysisAI
Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to reach restricted content via the product's web services, leading to full compromise of confidentiality, integrity, and availability. The CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) rating reflects trivial network-reachable exploitation, and Progress has issued a coordinated advisory covering this and four sibling CVEs; no public exploit identified at time of analysis.
Technical ContextAI
Progress Sitefinity is a .NET-based digital experience / content management platform that exposes administrative and content APIs through web service endpoints. The flaw is classified as CWE-284 (Improper Access Control), meaning an authorization decision in one or more of these web service handlers fails to enforce the expected restriction - typically because an endpoint either omits an authorization attribute, trusts a client-controlled identifier, or evaluates permissions against the wrong principal. Because Sitefinity's web services are the same surface used for content management and configuration, a broken access check there directly maps to read/write access on otherwise protected resources rather than only data disclosure.
RemediationAI
Vendor-released patch: Progress Sitefinity 15.4.8630 - upgrade 15.4.8623 installations to that build using the May 2026 Sitefinity Security Advisory at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026, which also addresses CVE-2026-7312, CVE-2026-7195, CVE-2026-7201, and CVE-2026-7313 in the same release. If patching cannot occur immediately, restrict network reachability of the Sitefinity web services to trusted management networks via firewall or WAF rules and block external access to the /Sitefinity/Services/ and related service endpoints - note this will break any legitimate external integrations or headless front-ends that consume those APIs, so inventory consumers first. Increase monitoring on the web service paths for anomalous unauthenticated requests and unexpected content reads or writes until the upgrade is applied.
More in Sitefinity
View allAn arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Ra
Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve pla
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2
Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is
Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenti
Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to
Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to re
Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrati
Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this v
Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is r
An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2
A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium sever
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33919
GHSA-9pjg-65cc-3h57