Skip to main content

Progress Sitefinity CVE-2026-7201

| EUVDEUVD-2026-33920 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-02 security@progress.com GHSA-62q8-jg47-5wpw
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 16:01 EUVD
Analysis Generated
Jun 02, 2026 - 14:32 vuln.today

DescriptionCVE.org

CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.

AnalysisAI

Authenticated account takeover in Progress Sitefinity 15.2.x, 15.3.x, and 15.4.x allows a low-privileged remote user to modify account properties belonging to other users - including potentially higher-privileged accounts - by manipulating user-controlled identifiers in web service requests. The flaw is an IDOR-style authorization bypass (CWE-639) and, while no public exploit has been identified at time of analysis, the 8.8 CVSS rating reflects realistic escalation to account compromise once a foothold exists. No vendor-released patch data, KEV listing, or EPSS score was supplied with this advisory.

Technical ContextAI

Progress Sitefinity is a .NET-based digital experience and web content management platform commonly deployed for enterprise marketing sites, intranets, and customer portals. The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), an Insecure Direct Object Reference pattern in which a backend web service trusts a client-supplied identifier (such as a user ID, GUID, or account key) to determine which record to operate on, without enforcing that the requesting principal owns or has rights over that record. In Sitefinity's case, one or more account-management web service endpoints accept attacker-controlled keys and apply property modifications without performing a proper ownership or role check, so authenticated low-privileged sessions can reach data scoped to other identities.

RemediationAI

Upgrade to Sitefinity 15.2.8441, 15.3.8531, or 15.4.8630 (or later) on the corresponding branch, per the Progress May 2026 security advisory at https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026. Where immediate patching is not possible, restrict the affected account-management web service endpoints at the reverse proxy or WAF layer so that they are reachable only from trusted administrative networks - this will break legitimate self-service profile flows for end users and should be coupled with monitoring of authenticated requests for anomalous user-identifier parameters and out-of-pattern profile modifications. Disabling or tightening self-registration reduces the pool of authenticated attackers who can attempt the bypass, at the cost of friction for new customer signups. Rotate credentials and review audit logs for unexpected profile changes on any instance that may have been exposed before patching.

CVE-2018-17055 HIGH POC
7.5 Sep 28

An arbitrary file upload vulnerability in Progress Sitefinity CMS versions 4.0 through 11.0 related to image uploads. Ra

CVE-2026-7312 CRITICAL
10.0 Jun 02

Credential disclosure in Progress Sitefinity 14.0.7700-15.4.8630 allows remote unauthenticated attackers to retrieve pla

CVE-2026-7198 CRITICAL
9.8 Jun 02

Unauthenticated access control bypass in Progress Sitefinity 15.4.8623 (fixed in 15.4.8630) enables remote attackers to

CVE-2023-29375 CRITICAL
9.8 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2019-17392 CRITICAL
9.8 Nov 26

Progress Sitefinity 12.1 has a Weak Password Recovery Mechanism for a Forgotten Password because the HTTP Host header is

CVE-2026-7195 HIGH
8.8 Jun 02

Account compromise in Progress Sitefinity CMS (14.1.x-15.4.x prior to the May 2026 fix train) allows a remote unauthenti

CVE-2026-7313 HIGH
8.7 Jun 02

Credential exposure in Progress Sitefinity versions 8.0.5700 through 13.3.7652 allows authenticated back-end users to re

CVE-2024-1632 MEDIUM
6.5 Feb 28

Low-privileged users with access to the Sitefinity backend may obtain sensitive information from the site's administrati

CVE-2019-7215 MEDIUM
6.5 Jun 06

Progress Sitefinity 10.1.6536 does not invalidate session cookies upon logouts. Rated medium severity (CVSS 6.5), this v

CVE-2024-1636 MEDIUM
5.4 Feb 28

Potential Cross-Site Scripting (XSS) in the page editing area. Rated medium severity (CVSS 5.4), this vulnerability is r

CVE-2023-29376 MEDIUM
5.4 Apr 10

An issue was discovered in Progress Sitefinity 13.3 before 13.3.7647, 14.0 before 14.0.7736, 14.1 before 14.1.7826, 14.2

CVE-2023-6784 MEDIUM
4.3 Dec 20

A malicious user could potentially use the Sitefinity system for the distribution of phishing emails. Rated medium sever

Share

CVE-2026-7201 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy