Description
CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
Published: 2026-06-02
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Progress Sitefinity web services allows a remote authenticated attacker to change account properties of other users, potentially enabling full account takeover. The flaw, classified as an Authorization Bypass through user-controlled key, allows the attacker to alter values that are normally hidden from low-privileged users.

Affected Systems

Progress Software Sitefinity versions 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 are affected.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the attack requires remote authentication and knowledge of internal key values that are not typically exposed, raising the exploitation barrier. The EPSS data is not available and the vulnerability is not listed in CISA KEV. Exploitation would likely come through exposed web service endpoints and could be carried out by an attacker who has gained initial authenticated access to the application.

Generated by OpenCVE AI on June 2, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Sitefinity 15.2.8441 or later, 15.3.8531 or later, or 15.4.8630 or later to apply the vendor patch.
  • Restrict access to the vulnerable web service endpoints so that only privileged roles can invoke them, enforcing strict role‑based access control.
  • Audit and monitor account property changes to detect and respond to unauthorized modifications promptly.

Generated by OpenCVE AI on June 2, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful exploitation requires knowledge of values that are not generally exposed to low-privileged users.
Title CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ProgressSoftware

Published:

Updated: 2026-06-02T15:12:26.494Z

Reserved: 2026-04-27T13:52:28.344Z

Link: CVE-2026-7201

cve-icon Vulnrichment

Updated: 2026-06-02T15:12:23.482Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T14:17:14.360

Modified: 2026-06-02T14:37:13.613

Link: CVE-2026-7201

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T15:30:11Z

Weaknesses