Cyber Resilience

CVE-2026-7201

HighUpdated

Published: 02 June 2026

Published
02 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0035 26.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7201 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Progress Sitefinity. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 26.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

CWE-639: Authorization Bypass Through User-Controlled Key in web services in Progress Sitefinity 15.2.x before 15.2.8441, 15.3.x before 15.3.8531, and 15.4.x before 15.4.8630 allows a remote authenticated attacker to modify account properties of other users, potentially leading to account compromise. Successful…

more

exploitation requires knowledge of values that are not generally exposed to low-privileged users.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Authorization bypass directly enables modification of other users' account properties (T1098 Account Manipulation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7198Same product: Progress Sitefinity
CVE-2026-7313Same product: Progress Sitefinity
CVE-2026-7312Same product: Progress Sitefinity
CVE-2024-11627Same product: Progress Sitefinity
CVE-2024-11625Same product: Progress Sitefinity
CVE-2024-11626Same product: Progress Sitefinity
CVE-2026-7195Same product: Progress Sitefinity
CVE-2024-56133Same vendor: Progress
CVE-2026-8487Same vendor: Progress
CVE-2026-3517Same vendor: Progress

Affected Assets

progress
sitefinity
15.2.8400 — 15.2.8441 · 15.3.8500 — 15.3.8531 · 15.4.8600 — 15.4.8630

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References