HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-7201Published Modified CNA ProgressSoftware

CVE-2026-7201: CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity

CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
15.2.8441
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization bypass through user-controlled key (IDOR-class vulnerability) affects Progress Sitefinity versions 15.2.x, 15.3.x, and 15.4.x before their respective patch releases. The flaw is reachable over the network and requires only a low-privilege authenticated account, meaning any registered user may be able to tamper with account properties belonging to other users. Successful exploitation enables an attacker to modify other accounts in ways that can lead to full account compromise. Patched-image rebuilds at versions 15.2.8441, 15.3.8531, and 15.4.8630 are available on HarborGuard for environments running affected versions.

HarborGuard Coverage

Detection

Detection of CVE-2026-7201 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that package Sitefinity, in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 8.8 (HIGH) and weighting that score against each environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on workload ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting Sitefinity 15.2.8441, 15.3.8531, or 15.4.8630 (matched to the affected minor branch) becomes available through HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable web service endpoint is exposed over the network, so an attacker must be able to reach the Sitefinity instance via HTTP/HTTPS.

  • AuthenticationRequired

    A low-privilege authenticated account is sufficient; any registered user credential meets this requirement.

  • Victim interactionNot required

    No action by another user or administrator is needed to trigger the vulnerability.

  • Attack complexityDetail

    Exploitation is described as reliable and condition-free at the network level, though the CVE notes that the attacker must know certain key values not generally visible to low-privileged users, adding a modest reconnaissance step.

Blast Radius

  • Attacker modifies account properties (such as email address, username, or role assignments) of arbitrary other users.
  • Modified account properties can be leveraged to take over targeted user accounts, including accounts with elevated privileges.
  • Confidential user profile data exposed during the account-property lookup may be read as part of the exploit chain.
  • Integrity of user records in the Sitefinity database is compromised, potentially affecting downstream access controls and audit trails.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-7201 is active across all scanning environments the moment the advisory is ingested, covering images in connected registries and images built in CI pipelines. For environments running any affected Sitefinity 15.2.x, 15.3.x, or 15.4.x branch, HarborGuard can produce a rebuilt image pinned to the appropriate patched release (15.2.8441, 15.3.8531, or 15.4.8630). Where compliance policy permits, customers with auto-remediation enabled receive the rebuilt image, a regression-test run, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for high-severity issues is around 90 minutes in those environments. For customers who manage patching manually, HarborGuard surfaces the affected image list and fix-version targets in the dashboard so engineering teams can prioritize the upgrade without a separate audit step.

See how HarborGuard automates this

Fix available

15.2.844115.3.853115.4.8630
Affected packages
  • Progress Software / Sitefinity
    < 15.2.8441 (from 15.2.8400) · < 15.3.8531 (from 15.3.8500) · < 15.4.8630 (from 15.4.8600)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References