CVE-2026-7201
Authorization Bypass in Progress Sitefinity
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Progress Software Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| progress | sitefinity | to 15.2.8441 (exc) |
| progress | sitefinity | to 15.3.8531 (exc) |
| progress | sitefinity | to 15.4.8630 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authorization bypass issue in Progress Sitefinity web services versions 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630. It allows a remote authenticated attacker to modify account properties of other users by exploiting a user-controlled key. The attacker must have knowledge of certain values that are not typically exposed to low-privileged users to successfully exploit this flaw.
How can this vulnerability impact me? :
The vulnerability can lead to account compromise because an attacker who successfully exploits it can modify account properties of other users. This can result in unauthorized access, data manipulation, and potentially full control over other user accounts within the affected Sitefinity system.