CRITICAL🇵🇱 Wersja polska

CVE-2026-22586

CVSS 9.8v3.1pub. 2026-01-24upd. 2026-05-15

Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

🤖 AI Analysis
How it works

The vulnerability results from the use of a static cryptographic key hardcoded into the code in several platform modules: CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage. An attacker, knowing or reproducing this key, can manipulate communication based on Web Services Protocol Manipulation. Since the key is shared across all installations, its compromise affects potentially all users using vulnerable modules. The attack requires no authentication or user interaction.

Impact

An attacker can gain full control over the confidentiality, integrity, and availability of data processed by vulnerable modules, which may lead to unauthorized reading, modification, or deletion of marketing and customer data.

Mitigation & patch

Salesforce released a patch dated January 21, 2026. Ensure that the Marketing Cloud Engagement environment has been updated to a version after this date. Detailed information is available in the Salesforce technical support article referenced (ID: 005299346). It is also recommended to verify access logs to vulnerable modules to detect any potential unauthorized access attempts.

Who is affected

Salesforce Marketing Cloud Engagement in all versions released before January 21, 2026, in the modules: CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Salesforce Marketing Cloud Engagement

    APP
    Salesforce
    < 2026-01-21
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22582CRITICAL9.8PL ✓ten sam produkt

Argument Injection w Salesforce Marketing Cloud Engagement (MicrositeUrl)

CVE-2026-22583CRITICAL9.8PL ✓ten sam produkt

Argument Injection w Salesforce Marketing Cloud Engagement (CloudPagesUrl)

CVE-2026-22585CRITICAL9.8PL ✓ten sam produkt

Salesforce Marketing Cloud Engagement — słaby algorytm kryptograficzny (RCE-class)

CVE-2026-22584CRITICAL9.8PL ✓ten sam vendor

Code Injection w Salesforce Uni2TS — zdalne wykonanie kodu

CVE-2021-1626CRITICAL9.8ten sam vendor

MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime compon...