HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-7312Published Modified CNA ProgressSoftware

CVE-2026-7312: CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity

CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to 14.4.8152, and 15.0.8200 to 15.0.8234, and 15.1.8300 to 15.1.8335, 15.2.8400 to 15.2.8441, 15.3.8500 to 15.3.8531, and 15.4.8600 to 15.4.8630 allows a remote unauthenticated attacker to obtain plain-text credentials used connect to Sitefinity Insight service. Successful exploitation requires active integration with Sitefinity Insight and non-default site configuration.

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
14.4.8152
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Insufficiently Protected Credentials vulnerability in Progress Sitefinity allows a remote, unauthenticated attacker to retrieve plain-text credentials used by the application to connect to the Sitefinity Insight service. The vulnerability is reachable over the network with no authentication required and no victim interaction needed, making it trivially exploitable from the internet. Successful exploitation gives an attacker the plain-text credentials for the Sitefinity Insight integration, enabling account takeover of that service and follow-on access to data it holds. Patched-image rebuilds at versions 14.4.8152, 15.0.8234, 15.1.8335, 15.2.8441, and 15.3.8531 are available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-7312 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of ingestion from upstream advisory feeds, including Progress Software's own advisories. Coverage extends to custom-built images that bundle Sitefinity components, not only official base images.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 10.0 Critical and weighting it against each customer organization's compliance policy to determine urgency and escalation path. Triage routing is available to direct the alert to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild targeting the applicable fix version (14.4.8152, 15.0.8234, 15.1.8335, 15.2.8441, or 15.3.8531 depending on the installed branch) becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard is capable of triggering a rebuild, running a regression test suite, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Sitefinity web service over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No account or session token is required; the vulnerable endpoint is accessible to unauthenticated remote requests.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from any user or administrator of the target system.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no race condition, special memory layout, or non-standard environmental prerequisite, though successful credential exposure additionally requires active Sitefinity Insight integration and a non-default site configuration.

Blast Radius

  • Attacker reads plain-text credentials used by Sitefinity to authenticate against the Sitefinity Insight service.
  • With those credentials, the attacker authenticates directly to Sitefinity Insight and accesses visitor analytics, behavioral tracking data, and audience segment records stored there.
  • Scope is marked Changed (S:C) in the CVSS vector, meaning impact extends beyond the vulnerable Sitefinity instance itself to the connected Sitefinity Insight service and its data.
  • Confidentiality and Integrity of the Sitefinity Insight service are both rated High, so the attacker can read stored data and modify records in that service; Availability of the primary Sitefinity instance is not directly affected by this vulnerability.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical-severity credential-exposure vulnerability fires within minutes of advisory ingestion and matches against all images in customer registries and pipelines, including custom Sitefinity builds. Where compliance policy permits, a patched-image rebuild at the appropriate fix version is available immediately, and customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads; median time from CVE publication to merged patch PR for Critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Because exploitation additionally requires active Sitefinity Insight integration and a non-default site configuration, HarborGuard triage output includes that context so teams can quickly assess whether a flagged image is actually exposed. For environments that cannot patch immediately, compensating controls such as network-policy rules restricting inbound access to the affected Sitefinity web service endpoints and egress filtering between the Sitefinity host and Sitefinity Insight are worth evaluating while a patched rebuild is prepared.

See how HarborGuard automates this

Fix available

14.4.815215.0.823415.1.833515.2.844115.3.853115.4.8630
Affected packages
  • Progress Software / Sitefinity
    < 14.4.8152 (from 14.0.7700) · < 15.0.8234 (from 15.0.8200) · < 15.1.8335 (from 15.1.8300) · < 15.2.8441 (from 15.2.8400) · < 15.3.8531 (from 15.3.8500) · < 15.4.8630 (from 15.4.8600)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
References