Description
Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
Published: 2026-01-24
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch Now
AI Analysis

Impact

A hard‑coded cryptographic key is embedded in Salesforce Marketing Cloud Engagement components such as CloudPages and Forward to a Friend. This flaw permits an attacker to craft web service requests that bypass normal security checks, enabling manipulation of the underlying protocol. Consequently, an adversary could read, modify, or delete data that the application handles, compromising confidentiality and integrity of user information.

Affected Systems

Salesforce Marketing Cloud Engagement, all releases prior to January 21, 2026, including CloudPages, Profile Center, and related modules.

Risk and Exploitability

The vulnerability receives a CVSS score of 9.8, indicating high severity, but the EPSS score sits below 1%, suggesting a low likelihood of exploitation under current conditions. It has not been listed in the CISA KEV catalog. Exploitation would occur remotely through crafted web service requests, exploiting the hard‑coded key to manipulate the protocol and gain unauthorized access.

Generated by OpenCVE AI on April 18, 2026 at 03:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Marketing Cloud Engagement release dated January 21 2026 or later.
  • Verify that the application no longer contains hard‑coded cryptographic keys in its configuration and code base.
  • Implement temporary restrictions on API access, such as IP whitelisting or enforced multi‑factor authentication, to limit the attack surface.

Generated by OpenCVE AI on April 18, 2026 at 03:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 03:30:00 +0000

Type Values Removed Values Added
Title Hard‑coded Cryptographic Key Allows Web Services Protocol Manipulation in Salesforce Marketing Cloud Engagement

Thu, 12 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:salesforce:marketing_cloud_engagement:*:*:*:*:*:*:*:*

Mon, 26 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Salesforce
Salesforce marketing Cloud Engagement
Vendors & Products Salesforce
Salesforce marketing Cloud Engagement

Sat, 24 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
Weaknesses CWE-321
References

Subscriptions

Salesforce Marketing Cloud Engagement
cve-icon MITRE

Status: PUBLISHED

Assigner: Salesforce

Published:

Updated: 2026-04-29T19:19:33.993Z

Reserved: 2026-01-07T19:03:25.721Z

Link: CVE-2026-22586

cve-icon Vulnrichment

Updated: 2026-01-26T16:25:46.791Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-24T01:15:50.283

Modified: 2026-05-15T20:25:13.027

Link: CVE-2026-22586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T03:15:35Z

Weaknesses