CVE-2026-7201: CWE-639: Authorization Bypass Through User-Controlled Key in Progress Software Sitefinity
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
AI Analysis
Technical Summary
This vulnerability (CVE-2026-7201) in Progress Software Sitefinity involves an authorization bypass through user-controlled keys in web services. It affects versions 15.2.x prior to 15.2.8441, 15.3.x prior to 15.3.8531, and 15.4.x prior to 15.4.8630. A remote attacker with authenticated access can leverage knowledge of specific, non-public values to modify other users' account properties, potentially leading to account compromise. The CVSS 3.1 score of 8.8 reflects high impact on confidentiality, integrity, and availability. The vendor has not yet published a patch or official remediation details, and no cloud service is involved.
Potential Impact
Successful exploitation allows a remote authenticated attacker to modify account properties of other users, which can lead to account compromise. This impacts confidentiality, integrity, and availability of user accounts within the affected Sitefinity versions. The vulnerability requires authenticated access and knowledge of certain values not typically available to low-privileged users. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict authenticated user privileges to the minimum necessary and monitor for suspicious account modifications. Avoid exposing or sharing internal values that could be used to exploit this vulnerability.
CVE-2026-7201: CWE-639: Authorization Bypass Through User-Controlled Key in Progress Software Sitefinity
Description
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
CVSS v3.1
Score 8.8high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2026-7201) in Progress Software Sitefinity involves an authorization bypass through user-controlled keys in web services. It affects versions 15.2.x prior to 15.2.8441, 15.3.x prior to 15.3.8531, and 15.4.x prior to 15.4.8630. A remote attacker with authenticated access can leverage knowledge of specific, non-public values to modify other users' account properties, potentially leading to account compromise. The CVSS 3.1 score of 8.8 reflects high impact on confidentiality, integrity, and availability. The vendor has not yet published a patch or official remediation details, and no cloud service is involved.
Potential Impact
Successful exploitation allows a remote authenticated attacker to modify account properties of other users, which can lead to account compromise. This impacts confidentiality, integrity, and availability of user accounts within the affected Sitefinity versions. The vulnerability requires authenticated access and knowledge of certain values not typically available to low-privileged users. There are no known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict authenticated user privileges to the minimum necessary and monitor for suspicious account modifications. Avoid exposing or sharing internal values that could be used to exploit this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- ProgressSoftware
- Date Reserved
- 2026-04-27T13:52:28.344Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1ee64ce29bf47b50d3a845
Added to database: 6/2/2026, 2:18:52 PM
Last enriched: 6/2/2026, 2:48:34 PM
Last updated: 6/3/2026, 4:08:55 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.