ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-7198 — Critical Unauthenticated Access Control Bypass in Progress Sitefinity OData Web Services

A short review of CVE-2026-7198, a CVSS 9.8 improper access control vulnerability in Progress Sitefinity's OData web services that allows unauthenticated remote attackers to access restricted content, part of a five CVE cluster disclosed in the May 2026 advisory.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-02

Brief Summary: CVE-2026-7198 — Critical Unauthenticated Access Control Bypass in Progress Sitefinity OData Web Services
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A five CVE advisory dropped today for Progress Sitefinity, and the second most severe of the bunch, CVE-2026-7198, allows a completely unauthenticated remote attacker to bypass access controls on OData web services endpoints and reach content that should be restricted. With a CVSS score of 9.8 and full impact across confidentiality, integrity, and availability, this vulnerability sits alongside a CVSS 10.0 sibling (CVE-2026-7312) in what amounts to a systemic breakdown of the Sitefinity web services authorization layer.

Progress Sitefinity is a .NET based web content management system used by approximately 4,127 customers across 65 countries, with roughly 67% of deployments concentrated in the United States. The platform serves enterprise customers in education, insurance, and other verticals, with organizations like Advance Auto Parts, NTT DATA, and Conduent among its user base. Sitefinity holds about 0.71% of the web content management market and competes against platforms like Drupal and TYPO3.

Technical Information

Root Cause: CWE-284 Improper Access Control in OData Web Services

CVE-2026-7198 is classified under CWE-284 (Improper Access Control), indicating a failure to properly enforce permissions on resources exposed through the OData Web Services component. OData (Open Data Protocol) is a standardized REST based protocol for building and consuming data APIs, and Sitefinity uses it to expose content data to front end applications and integrations. The vulnerability allows crafted HTTP requests to bypass the authorization checks that should restrict access to certain content served through these endpoints.

This is not a long standing vulnerability. The affected version range is narrow: only Sitefinity versions 15.4.8623 through 15.4.8629. Version 15.4.8623 was released on January 27, 2026, which means this is a regression introduced in a patch release rather than a flaw that has been present across multiple major versions. The fix is available in version 15.4.8630.

Attack Vector Analysis

The attack characteristics make this vulnerability particularly concerning:

Network accessible, no authentication required. The vulnerability is exploitable over HTTP/HTTPS against the OData web services endpoints. An attacker needs no valid credentials, no prior access to the Sitefinity instance, and no special privileges. This dramatically lowers the barrier to exploitation and makes internet facing Sitefinity installations directly targetable.

Low attack complexity. The CVSS 9.8 score, as reported by Progress, is consistent with the CVSS v3.1 vector pattern for unauthenticated, low complexity, high impact vulnerabilities. The advisory describes exploitation via "crafted requests" to the OData web services, indicating that specially formed HTTP requests can bypass authorization checks.

Full CIA impact. The advisory explicitly states that successful exploitation results in "full compromise of confidentiality, integrity, and availability of affected installations." In practical terms:

  • Confidentiality: An attacker can access restricted content through the OData endpoint, potentially exposing sensitive organizational data, user information, or administrative content not intended for public consumption.
  • Integrity: Improper access control in OData web services may allow unauthorized modification of content, depending on the HTTP methods permitted through the vulnerable endpoint (OData supports GET, POST, PUT, PATCH, and DELETE operations).
  • Availability: The vulnerability may allow an attacker to disrupt service availability through unauthorized deletion or manipulation of content.

The Five CVE Cluster: A Systemic Problem

CVE-2026-7198 was not disclosed in isolation. The May 2026 Sitefinity advisory addresses five CVEs, four of which target the same OData Web Services attack surface:

CVE IDCWEDescriptionCVSS v3.1Affected VersionsAttack Surface
CVE-2026-7312CWE-522Insufficiently Protected Credentials10.014.0 through 15.4OData Web Services
CVE-2026-7198CWE-284Improper Access Control9.815.4.8623 through 15.4.8629OData Web Services
CVE-2026-7195CWE-20Improper Input Validation8.814.1 through 15.4OData Web Services
CVE-2026-7201CWE-639Authorization Bypass Through User Controlled Key8.815.2 through 15.4OData Web Services
CVE-2026-7313CWE-522Insufficiently Protected Credentials8.78.0 through 13.3ServiceStack Web Services

The concentration of four distinct vulnerability classes (improper access control, insufficiently protected credentials, improper input validation, and authorization bypass via user controlled key) in a single component points to a systemic weakness in the OData web services authorization and input validation layer. Organizations should not treat CVE-2026-7198 as an isolated issue; the entire web services subsystem requires attention.

The potential for CVE chaining is worth noting. An attacker who exploits CVE-2026-7198 to bypass access controls could potentially chain it with CVE-2026-7312 (insufficiently protected credentials, CVSS 10.0) or CVE-2026-7195 (improper input validation) for amplified impact.

NVD Status

As of the publication date, the NVD entry for CVE-2026-7198 shows a status of "Received" with "NVD assessment not yet provided," meaning the official NIST CVSS scoring and vector string have not yet been independently confirmed. The 9.8 score referenced throughout this post comes from the vendor's own assessment.

Affected Systems and Versions

The vulnerability affects a narrow version range within the Sitefinity 15.4.x branch:

  • Vulnerable: Sitefinity CMS versions 15.4.8623 through 15.4.8629
  • Fixed: Sitefinity CMS version 15.4.8630 and later

For the companion CVEs in the same advisory, the affected version ranges are broader. The following patched versions address all five CVEs across supported branches:

Current BranchRequired Minimum Patch Version
15.4.x (8623 through 8629)15.4.8630
15.3.x15.3.8531
15.2.x15.2.8441
15.1.x15.1.8335
15.0.x15.0.8234
14.4.x14.4.8152
13.3.x13.3.7652

The latest available version at the time of the advisory is 15.4.8631. Progress strongly encourages customers on unsupported versions to update to the latest product version.

No workarounds are available. The advisory does not document any temporary mitigations or configuration changes that would address the vulnerability without upgrading. Organizations unable to immediately patch should consider compensating controls such as restricting network access to OData web services endpoints via WAF or reverse proxy rules, monitoring access logs for anomalous unauthenticated requests to OData endpoints, and segmenting the Sitefinity server from the broader network. These measures are not vendor endorsed and have not been tested against this specific vulnerability.

Vendor Security History

Progress Software has a notable and troubled security track record that provides important context for evaluating CVE-2026-7198.

The most significant incident in the company's history is the MOVEit Transfer zero day breach of 2023. On May 31, 2023, the Cl0p Russian speaking cybercrime syndicate exploited a SQL injection zero day in MOVEit Transfer, Progress's managed file transfer product. The breach affected at least 2,500 firms and over 66.4 million individuals, making it one of the largest supply chain style data breach events in history.

Beyond MOVEit, Progress has issued a steady stream of critical security advisories across its product lines in recent years:

  • Sitefinity CVE-2025-1968 (April 2025): A High severity vulnerability in Sitefinity requiring a dedicated security advisory.
  • MOVEit WAF Critical Security Bulletin (April 2026): Five CVEs (CVE-2026-3517, CVE-2026-3518, CVE-2026-3519, CVE-2026-4048, CVE-2026-21876) addressing authenticated command execution vulnerabilities.
  • MOVEit Automation Critical Security Alert (April 2026): Two CVEs (CVE-2026-4670, CVE-2026-5174) addressing an authentication bypass vulnerability.
  • Sitefinity and Telerik UI for ASP.NET AJAX (2017): A security alert addressing vulnerabilities in both products.

The recurring pattern of critical vulnerabilities across Progress products, particularly in web facing services and authentication mechanisms, suggests ongoing challenges in the vendor's secure development lifecycle. The current five CVE cluster in Sitefinity's web services layer reinforces this pattern.

Threat Intelligence Context

As of June 2, 2026, there is no confirmed evidence of active exploitation of CVE-2026-7198 in the wild. The Progress advisory does not mention active exploitation. The CVE does not appear in the CISA Known Exploited Vulnerabilities (KEV) Catalog. Proofpoint's May 2026 threat intelligence report on 2026 CVE exploitation does not reference CVE-2026-7198 or any of the companion Sitefinity CVEs.

However, the vulnerability was only published today, and several factors elevate the likelihood of future exploitation:

2026 weaponization timelines are extremely compressed. Proofpoint telemetry shows 12 distinct 2026 CVEs already being actively exploited in network facing attacks, with some weaponized within 24 hours of disclosure. CVE-2026-21509 (Microsoft Office RTF/OLE Code Execution) was weaponized by Russia linked TA422 (APT28) within a single day of public disclosure. DPRK aligned TA406 (Opal Sleet) chained CVE-2026-21510 with CVE-2026-21509 in active campaigns.

Progress Software is a known target. The MOVEit breach demonstrated that Progress products are on the radar of sophisticated threat actors. Cl0p specifically targeted MOVEit due to its enterprise capabilities. Sitefinity's web facing CMS role presents a similar high value attack surface.

The vulnerability profile is ideal for opportunistic exploitation. Unauthenticated, network accessible, low complexity, high impact. Proofpoint notes that attackers "opportunistically use newly published CVEs when public proof of concept code becomes available." OData endpoints are commonly exposed to the internet and have documented attack patterns in security research.

No specific threat actors have been linked to CVE-2026-7198 at this time. Based on the broader landscape, Cl0p (given their history with Progress products), nation state actors operating at speed (TA422, TA406), and opportunistic ransomware operators are the most likely categories of threat actors to target this vulnerability if exploitation techniques become available.

Synthesis

The narrow affected version range (15.4.8623 through 15.4.8629) is worth examining closely. This is a regression: a patch release introduced a critical security flaw. That pattern, where an update intended to improve the product creates a new vulnerability, raises questions about the robustness of Progress's quality assurance and security testing processes for the OData web services layer. The fact that four of the five CVEs in this advisory target OData Web Services reinforces the concern that this component has not received adequate security review.

Organizations running affected versions should treat this as an emergency patching priority. The combination of an unauthenticated attack vector, a well understood web services attack surface, a vendor already targeted by sophisticated threat actors, and a 2026 threat landscape where weaponization can happen within hours creates conditions that strongly favor rapid exploitation once technical details circulate.

For organizations that cannot patch immediately, restricting network access to OData endpoints and implementing aggressive monitoring for unauthenticated requests to those endpoints are the most practical compensating controls, though neither is a substitute for the upgrade.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization