HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-7198Published Modified CNA ProgressSoftware

CVE-2026-7198: CWE-284: Improper Access Control in web services in Progress Sitefinity

CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
15.4.8630
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An improper access control vulnerability in the web services component of Progress Sitefinity versions 15.4.8623 through 15.4.8629 allows a remote, unauthenticated attacker to bypass authorization checks entirely. The vulnerability is reachable over the network with no credentials required and no victim interaction needed. Successful exploitation gives the attacker full read, write, and availability control over the affected installation. A patched-image rebuild at version 15.4.8630 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-7198 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Sitefinity components. Any image carrying a Sitefinity version between 15.4.8623 and 15.4.8629 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 Critical and surfaces it accordingly in each environment's finding queue, weighted against that customer org's compliance policy to determine breach thresholds and escalation paths. Routing rules direct the alert to the team or inbox configured for Critical-severity web-application findings within each organization.

Available
Patch

A patched-image rebuild based on Sitefinity 15.4.8630 becomes available on HarborGuard for every environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against the affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable web services endpoint is exposed over the network, so the attacker must be able to reach the host via HTTP/HTTPS from the internet or an internal network segment.

  • AuthenticationNot required

    No credentials of any privilege level are needed; the access control bypass is exploitable by a fully anonymous, unauthenticated request.

  • Victim interactionNot required

    The attacker makes direct requests to the service and does not need any user on the target system to open a link, file, or page.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup beyond network access to the service.

Blast Radius

  • Reads all restricted content managed by Sitefinity, including unpublished pages, media assets, user records, and any data exposed through the web services layer.
  • Writes or modifies persisted content, configuration, and data records through the same unauthenticated web services access, allowing an attacker to alter or delete site content and settings.
  • Crashes or degrades the Sitefinity installation by abusing service endpoints, denying legitimate users and administrators access to the platform.
  • Because all three of confidentiality, integrity, and availability are fully compromised, an attacker can chain read-write access into persistent backdoor setup or full takeover of the application.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of CVE publication for any image in a connected registry or pipeline that carries an affected Sitefinity build (15.4.8623 through 15.4.8629). Because this is a Critical-severity, network-exploitable, zero-authentication issue, it is prioritized at the top of the triage queue under default compliance policies. Where auto-remediation is enabled, HarborGuard makes a rebuilt image at version 15.4.8630 available, runs regression checks, and opens a pull request against affected workloads; the median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation is not enabled, the finding card links directly to the fix version and provides remediation guidance so engineers can act manually. Until the patched image is deployed, customers should consider placing network-policy controls in front of Sitefinity web services endpoints to restrict inbound access to known IP ranges, reducing exposure while a formal patch is staged.

See how HarborGuard automates this

Fix available

15.4.8630
Affected packages
  • Progress Software / Sitefinity
    < 15.4.8630 (from 15.4.8623)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References