Description
CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.
Published: 2026-06-02
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper access control flaw (CWE‑284) in the web services of Progress Sitefinity. A remote attacker, without authentication, can call web service endpoints and obtain data that should be restricted, allowing them to read, modify or delete content and thereby compromising the confidentiality, integrity, and availability of the affected installation.

Affected Systems

Affected products are Progress Sitefinity versions 15.4.8623 and earlier, up to but not including 15.4.8630. The flaw resides in the web services component that handles content requests.

Risk and Exploitability

The CVSS base score of 9.8 classifies this flaw as Critical. The EPSS score is not available, yet the lack of an EPSS value does not diminish the risk of a remote unauthenticated attacker. The vulnerability is not listed in the CISA KEV catalog, but the nature of the flaw makes it highly attractive to threat actors. Exploitation requires sending crafted requests to the unprotected web service endpoints, a task that is feasible over the internet.

Generated by OpenCVE AI on June 2, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sitefinity to version 15.4.8630 or later, which contains the fix for the access control issue.
  • If an immediate upgrade is not possible, block unauthenticated access to the affected web service endpoints using firewall or web application firewall rules.
  • Verify that role‑based access control is correctly enforced for all web service endpoints by testing with unauthenticated and insufficiently privileged accounts, and remove any permissions that expose sensitive data.

Generated by OpenCVE AI on June 2, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description CWE-284: Improper Access Control in web services in Progress Sitefinity 15.4.8623 before 15.4.8630 allows a remote unauthenticated attacker to access content that should be restricted, resulting in full compromise of confidentiality, integrity, and availability of affected installations.
Title CWE-284: Improper Access Control in web services in Progress Sitefinity
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-06-02T15:24:55.938Z

Reserved: 2026-04-27T13:51:51.317Z

Link: CVE-2026-7198

cve-icon Vulnrichment

Updated: 2026-06-02T15:24:50.903Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T14:17:14.227

Modified: 2026-06-02T14:37:13.613

Link: CVE-2026-7198

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses