Introduction
A five CVE advisory dropped today for Progress Sitefinity, and the second most severe of the bunch, CVE-2026-7198, allows a completely unauthenticated remote attacker to bypass access controls on OData web services endpoints and reach content that should be restricted. With a CVSS score of 9.8 and full impact across confidentiality, integrity, and availability, this vulnerability sits alongside a CVSS 10.0 sibling (CVE-2026-7312) in what amounts to a systemic breakdown of the Sitefinity web services authorization layer.
Progress Sitefinity is a .NET based web content management system used by approximately 4,127 customers across 65 countries, with roughly 67% of deployments concentrated in the United States. The platform serves enterprise customers in education, insurance, and other verticals, with organizations like Advance Auto Parts, NTT DATA, and Conduent among its user base. Sitefinity holds about 0.71% of the web content management market and competes against platforms like Drupal and TYPO3.
Technical Information
Root Cause: CWE-284 Improper Access Control in OData Web Services
CVE-2026-7198 is classified under CWE-284 (Improper Access Control), indicating a failure to properly enforce permissions on resources exposed through the OData Web Services component. OData (Open Data Protocol) is a standardized REST based protocol for building and consuming data APIs, and Sitefinity uses it to expose content data to front end applications and integrations. The vulnerability allows crafted HTTP requests to bypass the authorization checks that should restrict access to certain content served through these endpoints.
This is not a long standing vulnerability. The affected version range is narrow: only Sitefinity versions 15.4.8623 through 15.4.8629. Version 15.4.8623 was released on January 27, 2026, which means this is a regression introduced in a patch release rather than a flaw that has been present across multiple major versions. The fix is available in version 15.4.8630.
Attack Vector Analysis
The attack characteristics make this vulnerability particularly concerning:
Network accessible, no authentication required. The vulnerability is exploitable over HTTP/HTTPS against the OData web services endpoints. An attacker needs no valid credentials, no prior access to the Sitefinity instance, and no special privileges. This dramatically lowers the barrier to exploitation and makes internet facing Sitefinity installations directly targetable.
Low attack complexity. The CVSS 9.8 score, as reported by Progress, is consistent with the CVSS v3.1 vector pattern for unauthenticated, low complexity, high impact vulnerabilities. The advisory describes exploitation via "crafted requests" to the OData web services, indicating that specially formed HTTP requests can bypass authorization checks.
Full CIA impact. The advisory explicitly states that successful exploitation results in "full compromise of confidentiality, integrity, and availability of affected installations." In practical terms:
- Confidentiality: An attacker can access restricted content through the OData endpoint, potentially exposing sensitive organizational data, user information, or administrative content not intended for public consumption.
- Integrity: Improper access control in OData web services may allow unauthorized modification of content, depending on the HTTP methods permitted through the vulnerable endpoint (OData supports GET, POST, PUT, PATCH, and DELETE operations).
- Availability: The vulnerability may allow an attacker to disrupt service availability through unauthorized deletion or manipulation of content.
The Five CVE Cluster: A Systemic Problem
CVE-2026-7198 was not disclosed in isolation. The May 2026 Sitefinity advisory addresses five CVEs, four of which target the same OData Web Services attack surface:
| CVE ID | CWE | Description | CVSS v3.1 | Affected Versions | Attack Surface |
|---|---|---|---|---|---|
| CVE-2026-7312 | CWE-522 | Insufficiently Protected Credentials | 10.0 | 14.0 through 15.4 | OData Web Services |
| CVE-2026-7198 | CWE-284 | Improper Access Control | 9.8 | 15.4.8623 through 15.4.8629 | OData Web Services |
| CVE-2026-7195 | CWE-20 | Improper Input Validation | 8.8 | 14.1 through 15.4 | OData Web Services |
| CVE-2026-7201 | CWE-639 | Authorization Bypass Through User Controlled Key | 8.8 | 15.2 through 15.4 | OData Web Services |
| CVE-2026-7313 | CWE-522 | Insufficiently Protected Credentials | 8.7 | 8.0 through 13.3 | ServiceStack Web Services |
The concentration of four distinct vulnerability classes (improper access control, insufficiently protected credentials, improper input validation, and authorization bypass via user controlled key) in a single component points to a systemic weakness in the OData web services authorization and input validation layer. Organizations should not treat CVE-2026-7198 as an isolated issue; the entire web services subsystem requires attention.
The potential for CVE chaining is worth noting. An attacker who exploits CVE-2026-7198 to bypass access controls could potentially chain it with CVE-2026-7312 (insufficiently protected credentials, CVSS 10.0) or CVE-2026-7195 (improper input validation) for amplified impact.
NVD Status
As of the publication date, the NVD entry for CVE-2026-7198 shows a status of "Received" with "NVD assessment not yet provided," meaning the official NIST CVSS scoring and vector string have not yet been independently confirmed. The 9.8 score referenced throughout this post comes from the vendor's own assessment.
Affected Systems and Versions
The vulnerability affects a narrow version range within the Sitefinity 15.4.x branch:
- Vulnerable: Sitefinity CMS versions 15.4.8623 through 15.4.8629
- Fixed: Sitefinity CMS version 15.4.8630 and later
For the companion CVEs in the same advisory, the affected version ranges are broader. The following patched versions address all five CVEs across supported branches:
| Current Branch | Required Minimum Patch Version |
|---|---|
| 15.4.x (8623 through 8629) | 15.4.8630 |
| 15.3.x | 15.3.8531 |
| 15.2.x | 15.2.8441 |
| 15.1.x | 15.1.8335 |
| 15.0.x | 15.0.8234 |
| 14.4.x | 14.4.8152 |
| 13.3.x | 13.3.7652 |
The latest available version at the time of the advisory is 15.4.8631. Progress strongly encourages customers on unsupported versions to update to the latest product version.
No workarounds are available. The advisory does not document any temporary mitigations or configuration changes that would address the vulnerability without upgrading. Organizations unable to immediately patch should consider compensating controls such as restricting network access to OData web services endpoints via WAF or reverse proxy rules, monitoring access logs for anomalous unauthenticated requests to OData endpoints, and segmenting the Sitefinity server from the broader network. These measures are not vendor endorsed and have not been tested against this specific vulnerability.
Vendor Security History
Progress Software has a notable and troubled security track record that provides important context for evaluating CVE-2026-7198.
The most significant incident in the company's history is the MOVEit Transfer zero day breach of 2023. On May 31, 2023, the Cl0p Russian speaking cybercrime syndicate exploited a SQL injection zero day in MOVEit Transfer, Progress's managed file transfer product. The breach affected at least 2,500 firms and over 66.4 million individuals, making it one of the largest supply chain style data breach events in history.
Beyond MOVEit, Progress has issued a steady stream of critical security advisories across its product lines in recent years:
- Sitefinity CVE-2025-1968 (April 2025): A High severity vulnerability in Sitefinity requiring a dedicated security advisory.
- MOVEit WAF Critical Security Bulletin (April 2026): Five CVEs (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048, CVE-2026-21876) addressing authenticated command execution vulnerabilities.
- MOVEit Automation Critical Security Alert (April 2026): Two CVEs (CVE-2026-4670, CVE-2026-5174) addressing an authentication bypass vulnerability.
- Sitefinity and Telerik UI for ASP.NET AJAX (2017): A security alert addressing vulnerabilities in both products.
The recurring pattern of critical vulnerabilities across Progress products, particularly in web facing services and authentication mechanisms, suggests ongoing challenges in the vendor's secure development lifecycle. The current five CVE cluster in Sitefinity's web services layer reinforces this pattern.
Threat Intelligence Context
As of June 2, 2026, there is no confirmed evidence of active exploitation of CVE-2026-7198 in the wild. The Progress advisory does not mention active exploitation. The CVE does not appear in the CISA Known Exploited Vulnerabilities (KEV) Catalog. Proofpoint's May 2026 threat intelligence report on 2026 CVE exploitation does not reference CVE-2026-7198 or any of the companion Sitefinity CVEs.
However, the vulnerability was only published today, and several factors elevate the likelihood of future exploitation:
2026 weaponization timelines are extremely compressed. Proofpoint telemetry shows 12 distinct 2026 CVEs already being actively exploited in network facing attacks, with some weaponized within 24 hours of disclosure. CVE-2026-21509 (Microsoft Office RTF/OLE Code Execution) was weaponized by Russia linked TA422 (APT28) within a single day of public disclosure. DPRK aligned TA406 (Opal Sleet) chained CVE-2026-21510 with CVE-2026-21509 in active campaigns.
Progress Software is a known target. The MOVEit breach demonstrated that Progress products are on the radar of sophisticated threat actors. Cl0p specifically targeted MOVEit due to its enterprise capabilities. Sitefinity's web facing CMS role presents a similar high value attack surface.
The vulnerability profile is ideal for opportunistic exploitation. Unauthenticated, network accessible, low complexity, high impact. Proofpoint notes that attackers "opportunistically use newly published CVEs when public proof of concept code becomes available." OData endpoints are commonly exposed to the internet and have documented attack patterns in security research.
No specific threat actors have been linked to CVE-2026-7198 at this time. Based on the broader landscape, Cl0p (given their history with Progress products), nation state actors operating at speed (TA422, TA406), and opportunistic ransomware operators are the most likely categories of threat actors to target this vulnerability if exploitation techniques become available.
Synthesis
The narrow affected version range (15.4.8623 through 15.4.8629) is worth examining closely. This is a regression: a patch release introduced a critical security flaw. That pattern, where an update intended to improve the product creates a new vulnerability, raises questions about the robustness of Progress's quality assurance and security testing processes for the OData web services layer. The fact that four of the five CVEs in this advisory target OData Web Services reinforces the concern that this component has not received adequate security review.
Organizations running affected versions should treat this as an emergency patching priority. The combination of an unauthenticated attack vector, a well understood web services attack surface, a vendor already targeted by sophisticated threat actors, and a 2026 threat landscape where weaponization can happen within hours creates conditions that strongly favor rapid exploitation once technical details circulate.
For organizations that cannot patch immediately, restricting network access to OData endpoints and implementing aggressive monitoring for unauthenticated requests to those endpoints are the most practical compensating controls, though neither is a substitute for the upgrade.
References
- NVD: CVE-2026-7198
- Progress Sitefinity Security Advisory: CVE-2026-7312, CVE-2026-7198, CVE-2026-7195, CVE-2026-7201, CVE-2026-7313 (May 2026)
- Proofpoint: CVEs, Same Playbook: 2026 Vulnerability Exploitation in the Wild
- CISA Known Exploited Vulnerabilities Catalog
- ORX: MOVEit Transfer Data Breaches Deep Dive
- Progress Sitefinity Security Advisory: CVE-2025-1968 (April 2025)
- MOVEit WAF Critical Security Bulletin (April 2026)
- MOVEit Automation Critical Security Alert Bulletin (April 2026)
- 6sense: Progress Sitefinity Market Share and Competitor Insights
- OpenCVE: Sitefinity CVEs and Security Vulnerabilities
- Progress Sitefinity CMS 15.4.8623 Release Notes
- Canadian Centre for Cyber Security: Progress Security Advisory (AV26-410)
- Kaspersky Securelist: Exploits and Vulnerabilities in Q1 2026



