Five flaws in enterprise CMS Sitefinity, unauthenticated data exposure: CVE-2026-7198 and more
Five flaws disclosed in enterprise CMS Progress Sitefinity: unauthenticated access to private content (CVE-2026-7198, 9.8) and conditional plain-text credential exposure (CVE-2026-7312, 10.0). From the maker of MOVEit. Conditions and fixed builds by branch.
Makoto Horikawa
Backend Engineer / AWS / Django
Five flaws disclosed in enterprise CMS Progress Sitefinity: unauthenticated access to private content (CVE-2026-7198, 9.8) and conditional plain-text credential exposure (CVE-2026-7312, 10.0). From the maker of MOVEit. Conditions and fixed builds by branch.
The enterprise website-building software "Progress Sitefinity" has disclosed five vulnerabilities at once. The most serious are a flaw that lets an unauthenticated third party reach content that is supposed to be private over the network (CVE-2026-7198, CVSS 9.8), and one that, under certain conditions, leaks the credentials used to connect to an external service in plain text (CVE-2026-7312, CVSS 10.0). The vendor, Progress Software, is also the maker of the file-transfer software "MOVEit," which caused a worldwide mass data breach in 2023 — so flaws in its products draw heavy scrutiny.
Sitefinity is a "CMS (content management system)," the business software that enterprises and government agencies use to build and run multiple sites and portals. The five flaws differ in severity and in the conditions needed to exploit them, so it is not the case that "all of them can be hit by anyone instantly." This article walks through which flaw is dangerous under what conditions, whether you are affected, and which version to update to.
The five flaws at a glance
First, here are all five. What to read for is "is a login required" and "does it depend on a special configuration." Even with a big number (CVSS), a flaw that needs a specific setting or privilege has a narrower range that can actually be hit.
| ID | What happens | Login | CVSS | Prerequisite |
|---|---|---|---|---|
| CVE-2026-7312 | Linked service's credentials leak in plain text | Not required | 10.0 | Insight integration + non-default config |
| CVE-2026-7198 | Unauthorized access to private content | Not required | 9.8 | Only 15.4.8623 to before 15.4.8630 |
| CVE-2026-7195 | Compromise of a user account | Not required (needs lure) | 8.8 | Non-default config |
| CVE-2026-7201 | Modify another user's account settings | Required | 8.8 | Prior knowledge of certain values |
| CVE-2026-7313 | Retrieve the linked service's credentials | Required (admin) | 8.7 | Old 8.0–13.3 + Insight integration |
The two to watch most are the ones exploitable without a login. CVE-2026-7312 has the maximum CVSS of 10.0, but only when "the site integrates with the Sitefinity Insight analytics service and has been changed from its default configuration." CVE-2026-7198 is CVSS 9.8 with no conditions, but it affects only a very narrow version band, from 15.4.8623 to before 15.4.8630. The remaining three need a login, admin rights, or a specific precondition. Either way, the response boils down to a single move: update to the latest fixed build.
The back door to private pages, and the connection passwords walked off with
The peak of this case is the two flaws that reach private content or connection passwords without even a login. The people who put a price on that are data-theft crews that trade unpublished corporate information, initial-access brokers who stock and resell footholds, and the ransomware crews that used the same vendor's product as a stepping stone in the MOVEit incident. What gets carried off is the drafts of not-yet-released press releases, the private pages of member portals, and the IDs and passwords for connecting to external services. The moment this flaw is hit on a site where the conditions line up, information not yet made public and the back-end connection keys flow out together.
It does not stop at one step. Holding the connection credentials, the attacker enters the analytics platform and surrounding systems linked to Sitefinity as a legitimate connection, and spreads from there into the internal side. Stolen information and connection keys are resold on the dark web, and the buyer uses them as a foothold to encrypt the whole company, halt operations, and extort twice by dangling the "publication" of the exfiltrated unpublished material. If pre-release management information gets out, it can even move share prices and deals.
The cleanup falls on the IT department running the site, the agency that built it, and management. If personal data leaks from a member portal, a duty to report to the data-protection authority and notify the individuals arises, on top of explanations to partners, damages, and lost trust. What never shows in the CVSS number is the labor cost of being left in a state where you "cannot tell when your site was being drained," chased by investigation and notification. Checking quickly whether the conditions apply, and whether you can update to the fixed build, is what decides the operator's safety now.
What are Sitefinity and Progress Software in the first place
Progress Sitefinity is a "CMS (content management system)" that enterprises and government agencies use to build and run their own sites and member portals. A CMS is the foundation software that lets people create and update pages without specialist knowledge; globally WordPress is the famous one, but Sitefinity is an enterprise product built on Microsoft's .NET technology. It is used by companies worldwide to manage multiple-brand and multilingual sites together (BuiltWith adoption stats).
The vendor, Progress Software, is a U.S. business-software company. What put its name in the spotlight was a flaw in its file-transfer software "MOVEit Transfer" (CVE-2023-34362). In 2023, the Cl0p ransomware crew exploited it to breach over 2,000 organizations worldwide, escalating into an incident that exposed the personal data of tens of millions of people. This Sitefinity matter is separate, but as a flaw in a product from the same vendor, it is why security teams worldwide are on edge.
Progress published these five together in an official security advisory and is providing fixes. This was not discovered through an external breach; it was announced alongside the fixes.
Looking at the five one by one
Here is "who, under what conditions, can do what" for each, in order of severity.
CVE-2026-7312: linked service's credentials exposed in plain text (CVSS 10.0)
When integrated with the analytics service "Sitefinity Insight," the credentials used for that connection can be retrieved unencrypted, without a login (CWE-522, insufficiently protected credentials). The CVSS is the maximum 10.0, but exploitation requires that the Insight integration is active and the configuration has been changed from its default. Where it applies, the attacker can enter the linked service as a legitimate connection, so the impact is large.
CVE-2026-7198: unauthorized access to private content (CVSS 9.8)
Due to an access-control flaw in web services, an unauthenticated third party can reach content that only authorized people should see (CWE-284, improper access control). There are no conditions, but the target is limited to a very narrow version band, from 15.4.8623 to before 15.4.8630. Environments that just installed the immediately preceding build are at risk; moving to the latest build resolves it.
CVE-2026-7195: compromise of a user account (CVSS 8.8)
Due to improper input validation, an attacker who lures a user to a crafted link can compromise the confidentiality and integrity of that user's account (CWE-20, improper input validation). No login is needed, but it requires action on the victim's side (such as clicking a link) and a configuration changed from the default.
CVE-2026-7201: modifying another user's account settings (CVSS 8.8)
A logged-in user can rewrite another user's account settings (CWE-639, authorization bypass through a user-controlled key). Exploitation needs prior knowledge of values a low-privileged user would not normally have, which raises the bar. Still, if it succeeds, it leads to account takeover.
CVE-2026-7313: retrieving credentials with admin rights (CVSS 8.7)
A user with admin rights can retrieve the Sitefinity Insight connection credentials in unencrypted form (CWE-522). The target is the older 8.0 through 13.3 versions, and this too assumes an Insight integration and a non-standard configuration. Environments still running old Sitefinity should take it as a sign to consider migrating to a supported version.
Has it been exploited?
Let us separate what is known from what is not yet confirmed.
✓ Confirmed facts
- ✓Progress issued an official advisory covering all five and is providing fixed builds
- ✓Exploitable without a login are 7312 (10.0, conditional) and 7198 (9.8, narrow versions only) (NVD)
- ✓The remaining three require a login, admin rights, or a specific precondition
? Not yet confirmed
- ?Any real-world exploitation — at the time of writing it is not in CISA's Known Exploited Vulnerabilities (KEV) catalog, and no public exploit code is confirmed
- ?Details on the finder/reporter — beyond the official advisory, third-party technical analysis is still scarce
Quick reference: your version and the fixed build
The basic response is to update to the fixed build below (or later) for the Sitefinity branch you run. If you are on the old 8.0–13.3 line, consider migrating to a newer, supported version.
| Branch in use | Affected versions | Update to (fixed build) |
|---|---|---|
| 14.x | 14.0.7700 to before 14.4.8152 | 14.4.8152 |
| 15.0 | before 15.0.8234 | 15.0.8234 |
| 15.1 | before 15.1.8335 | 15.1.8335 |
| 15.2 | before 15.2.8441 | 15.2.8441 |
| 15.3 | before 15.3.8531 | 15.3.8531 |
| 15.4 | before 15.4.8630 (7198 is 8623+) | 15.4.8630 |
| 8.0–13.3 (old) | target of CVE-2026-7313 | migrate to a supported version |
Always confirm the exact affected range and the latest fixed build in the official Progress advisory. If you do not run it yourself but leave it to an agency, asking them about the update schedule is the quickest path.
What site operators should check right now
The top priority is to confirm your Sitefinity version and update to the fixed build (or later) in the table above. In particular, environments integrated with Sitefinity Insight can be targets of CVE-2026-7312 (10.0) and CVE-2026-7313, so check the presence and settings of that integration first. Even if you cannot update immediately, interim measures include temporarily reviewing the Insight integration and narrowing the range reachable from outside.
It is also worth considering rotating the linked service's connection keys in environments where credentials may have been exposed. If they were already taken, updating alone will not stop the old keys from being abused. To manage your site's vulnerabilities systematically, see our roundup of major 2026 H1 vulnerabilities as well.
Around the same time, flaws targeting the "entrance" of corporate systems have kept coming. The config injection in the container platform OpenShift (CVE-2026-1784) and the unauthenticated takeover in another CMS, Drupal, are examples, and the weight of keeping the web's foundational software current keeps growing.
FAQ
Q. CVE-2026-7312 is CVSS 10.0 — is every Sitefinity at risk?
A. No. Exploitation requires that "the site integrates with the Sitefinity Insight analytics service and has been changed from its default configuration." Environments not integrated with Insight are not affected by this flaw. Check the presence of the integration first.
Q. Which ones are truly dangerous without a login?
A. The two exploitable without a login are CVE-2026-7312 and CVE-2026-7198. However, 7312 carries the integration condition above, and 7198 targets only the narrow band from 15.4.8623 to before 15.4.8630. Affected environments should update to the latest build urgently.
Q. Which version should I update to?
A. Per branch, the fixed builds are 14.4.8152 / 15.0.8234 / 15.1.8335 / 15.2.8441 / 15.3.8531 / 15.4.8630 or later. For the old 8.0–13.3 line, consider migrating to a newer, supported version. The exact details are in the official Progress advisory.
Q. Is Progress Software the same company as MOVEit?
A. Yes. MOVEit Transfer, the file-transfer software behind a worldwide mass data breach in 2023, is also a Progress Software product. This Sitefinity matter is a different product and a different flaw, but it draws attention as coming from the same vendor.
Summary
Five vulnerabilities have been disclosed in the enterprise CMS Progress Sitefinity. The two to watch most are the login-free CVE-2026-7312 (CVSS 10.0, with an integration condition) and CVE-2026-7198 (CVSS 9.8, narrow version band only). The numbers are severe, but many require a specific setting or version to exploit — it is not the case that "all of them can be hit by anyone instantly." The response is simple: update to the fixed build for your branch (14.4.8152 / 15.0.8234 / 15.1.8335 / 15.2.8441 / 15.3.8531 / 15.4.8630 or later). Environments integrated with Sitefinity Insight are especially high priority; plan your response to include rotating the connection keys. The vendor, Progress Software, is also the maker of MOVEit, so flaws in its products remain worth watching.
References
- ▸Progress - Sitefinity Security Advisory (CVE-2026-7312/7198/7195/7201/7313)
- ▸NVD - CVE-2026-7312 (plain-text credential exposure, CVSS 10.0)
- ▸NVD - CVE-2026-7198 (unauthorized access to private content, CVSS 9.8)
- ▸NVD - CVE-2026-7195 (user account compromise, CVSS 8.8)
- ▸NVD - CVE-2026-7201 (account-setting modification, CVSS 8.8)
- ▸NVD - CVE-2026-7313 (credential retrieval on old versions, CVSS 8.7)
- ▸NVD - CVE-2023-34362 (MOVEit Transfer, the 2023 mass breach)
- ▸Progress Sitefinity official site