{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22586", "assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "state": "PUBLISHED", "assignerShortName": "Salesforce", "dateReserved": "2026-01-07T19:03:25.721Z", "datePublished": "2026-01-24T00:17:08.285Z", "dateUpdated": "2026-04-29T19:19:33.993Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "shortName": "Salesforce", "dateUpdated": "2026-04-29T19:19:33.993Z"}, "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-321", "description": "CWE-321 Hard-coded Cryptographic Key", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-278", "descriptions": [{"lang": "en", "value": "CAPEC-278 Web Services Protocol Manipulation"}]}], "affected": [{"vendor": "Salesforce", "product": "Marketing Cloud Engagement", "modules": ["CloudPages", "Forward to a Friend", "Profile Center", "Subscription Center", "Unsub Center", "View As Webpage"], "versions": [{"status": "affected", "version": "0", "lessThan": "January 21, 2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.<p></p>"}]}], "references": [{"url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "credits": [{"lang": "en", "value": "HackerOne: h_a_0_k_e_r", "type": "reporter"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22586", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T04:55:35.799305Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:53.335Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-22586", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-27T04:55:35.799305Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T16:25:46.791Z"}}], "cna": {"source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "reporter", "value": "HackerOne: h_a_0_k_e_r"}], "impacts": [{"capecId": "CAPEC-278", "descriptions": [{"lang": "en", "value": "CAPEC-278 Web Services Protocol Manipulation"}]}], "affected": [{"vendor": "Salesforce", "modules": ["CloudPages", "Forward to a Friend", "Profile Center", "Subscription Center", "Unsub Center", "View As Webpage"], "product": "Marketing Cloud Engagement", "versions": [{"status": "affected", "version": "0", "lessThan": "January 21, 2026", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.", "supportingMedia": [{"type": "text/html", "value": "Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.<p></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Hard-coded Cryptographic Key"}]}], "providerMetadata": {"orgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "shortName": "Salesforce", "dateUpdated": "2026-04-29T19:19:33.993Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22586", "state": "PUBLISHED", "dateUpdated": "2026-04-29T19:19:33.993Z", "dateReserved": "2026-01-07T19:03:25.721Z", "assignerOrgId": "c9b25dee-ae6d-4083-ba23-638c500cc364", "datePublished": "2026-01-24T00:17:08.285Z", "assignerShortName": "Salesforce"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:salesforce:marketing_cloud_engagement:*:*:*:*:*:*:*:*", "matchCriteriaId": "5A41CCDE-A5EA-45D6-A009-A6908459C453", "versionEndExcluding": "2026-01-21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026."}, {"lang": "es", "value": "Vulnerabilidad de clave criptogr\u00e1fica codificada de forma r\u00edgida en Salesforce Marketing Cloud Engagement (m\u00f3dulos CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage) permite la manipulaci\u00f3n del protocolo de servicios web. Este problema afecta a Marketing Cloud Engagement: antes del 21 de enero de 2026."}], "id": "CVE-2026-22586", "lastModified": "2026-05-15T20:25:13.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-24T01:15:50.283", "references": [{"source": "security@salesforce.com", "tags": ["Vendor Advisory"], "url": "https://help.salesforce.com/s/articleView?id=005299346&type=1"}], "sourceIdentifier": "security@salesforce.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}], "source": "security@salesforce.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:01:26.674446+00:00", "value": {"mitigation_remediation": ["Apply the latest Marketing Cloud Engagement release dated January\u202f21\u202f2026 or later. ", "Verify that the application no longer contains hard\u2011coded cryptographic keys in its configuration and code base. ", "Implement temporary restrictions on API access, such as IP whitelisting or enforced multi\u2011factor authentication, to limit the attack surface."], "summary": {"action": "Patch Now", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "Salesforce Marketing Cloud Engagement, all releases prior to January 21, 2026, including CloudPages, Profile Center, and related modules.", "description_and_impact": "A hard\u2011coded cryptographic key is embedded in Salesforce Marketing Cloud Engagement components such as CloudPages and Forward to a Friend. This flaw permits an attacker to craft web service requests that bypass normal security checks, enabling manipulation of the underlying protocol. Consequently, an adversary could read, modify, or delete data that the application handles, compromising confidentiality and integrity of user information.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 9.8, indicating high severity, but the EPSS score sits below 1%, suggesting a low likelihood of exploitation under current conditions. It has not been listed in the CISA KEV catalog. Exploitation would occur remotely through crafted web service requests, exploiting the hard\u2011coded key to manipulate the protocol and gain unauthorized access."}}}}, "created": "2026-01-26T11:48:56.426206+00:00", "title": "Hard\u2011coded Cryptographic Key Allows Web Services Protocol Manipulation in Salesforce Marketing Cloud Engagement", "updated": "2026-04-18T03:15:35.424281+00:00", "vendors": ["salesforce", "salesforce$PRODUCT$marketing_cloud_engagement"]}