Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
According to CWE-327 (Use of a Broken or Risky Cryptographic Algorithm), the vulnerability results from the use of an insecure cryptographic algorithm in the CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage modules. Weak cryptography allows an attacker to manipulate communication with network services (Web Services Protocol Manipulation), which may include forgery, modification, or decryption of protected data transmitted by these modules. The attack is possible remotely, over the network, without requiring privileges or user engagement.
An attacker can gain full control over the confidentiality, integrity, and availability of data processed by vulnerable modules — including potentially hijacking or modifying subscriber data and marketing campaign configuration.
Salesforce implemented a server-side patch dated January 21, 2026 — SaaS environments should be automatically updated. Administrators should verify their environment version and follow the vendor's recommendations available at: https://help.salesforce.com/s/articleView?id=005299346&type=1
Salesforce Marketing Cloud Engagement in all versions before January 21, 2026 — modules: CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSalesforce Marketing Cloud Engagement
APPSalesforce< 2026-01-21
Related vulnerabilities
Argument Injection w Salesforce Marketing Cloud Engagement (MicrositeUrl)
Argument Injection w Salesforce Marketing Cloud Engagement (CloudPagesUrl)
Zahardkodowany klucz kryptograficzny w Salesforce Marketing Cloud Engagement
Code Injection w Salesforce Uni2TS — zdalne wykonanie kodu
MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime compon...