CVE-2026-7201 PUBLISHED

CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity

Assigner: ProgressSoftware
Reserved: 27.04.2026 Published: 02.06.2026 Updated: 02.06.2026

CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Progress Software
Product	Sitefinity
Versions	Default: unaffected affected from 15.2.8400 to 15.2.8441 (excl.) affected from 15.3.8500 to 15.3.8531 (excl.) affected from 15.4.8600 to 15.4.8630 (excl.)

References

https://community.progress.com/s/article/Sitefinity-Security-Advisory-for-Addressing-Security-Vulnerabilities-CVE-2026-7312-CVE-2026-7198-CVE-2026-7195-CVE-2026-7201-CVE-2026-7313-May-2026

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE

Impacts

CAPEC-21: Exploitation of Trusted Identifiers