{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5426", "assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484", "state": "PUBLISHED", "assignerShortName": "Mandiant", "dateReserved": "2026-04-02T14:20:13.588Z", "datePublished": "2026-04-16T15:18:46.224Z", "dateUpdated": "2026-04-18T02:31:32.234Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484", "shortName": "Mandiant", "dateUpdated": "2026-04-16T15:22:20.823Z"}, "title": "KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-321", "description": "CWE-321 Use of hard-coded cryptographic key", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-502", "description": "CWE-502 Deserialization of untrusted data", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"vendor": "Digital Knowledge", "product": "KnowledgeDeliver", "versions": [{"status": "affected", "version": "0", "lessThan": "20260224", "versionType": "date"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks"}]}], "references": [{"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md", "tags": ["third-party-advisory"]}, {"url": "https://www.digital-knowledge.co.jp/product/kd/", "tags": ["product"]}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-18T02:30:29.158302Z", "id": "CVE-2026-5426", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T02:31:32.234Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-5426", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-18T02:30:29.158302Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-18T02:31:27.581Z"}}], "cna": {"title": "KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "CAPEC-586 Object Injection"}]}], "affected": [{"vendor": "Digital Knowledge", "product": "KnowledgeDeliver", "versions": [{"status": "affected", "version": "0", "lessThan": "20260224", "versionType": "date"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md", "tags": ["third-party-advisory"]}, {"url": "https://www.digital-knowledge.co.jp/product/kd/", "tags": ["product"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks", "supportingMedia": [{"type": "text/html", "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-321", "description": "CWE-321 Use of hard-coded cryptographic key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of untrusted data"}]}], "providerMetadata": {"orgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484", "shortName": "Mandiant", "dateUpdated": "2026-04-16T15:22:20.823Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5426", "state": "PUBLISHED", "dateUpdated": "2026-04-18T02:31:32.234Z", "dateReserved": "2026-04-02T14:20:13.588Z", "assignerOrgId": "027e81ed-0dd4-4685-ab4d-884aec5bb484", "datePublished": "2026-04-16T15:18:46.224Z", "assignerShortName": "Mandiant"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks"}], "id": "CVE-2026-5426", "lastModified": "2026-04-18T04:16:25.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-16T16:16:17.693", "references": [{"source": "mandiant-cve@google.com", "url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md"}, {"source": "mandiant-cve@google.com", "url": "https://www.digital-knowledge.co.jp/product/kd/"}], "sourceIdentifier": "mandiant-cve@google.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-321"}, {"lang": "en", "value": "CWE-502"}], "source": "mandiant-cve@google.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,20260224)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "KnowledgeDeliver", "source": "cna", "vendor": "Digital Knowledge"}, "product": "knowledgedeliver", "vendor": "digital_knowledge"}], "analysis": {"en": {"generated_at": "2026-04-18T19:28:43.004963+00:00", "value": {"mitigation_remediation": ["Apply the latest vendor patch or upgrade to a version released after February\u202f24\u202f2026 that configures a unique machineKey.", "Generate a, unique machineKey per deployment and set it in the web.config file to replace the hard\u2011coded value.", "Disable or restrict ViewState usage, enforce strict serialization checks, and monitor for anomalous ViewState traffic."], "summary": {"action": "Assess Impact", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Digital Knowledge KnowledgeDeliver deployments prior to February\u202f24\u202f2026 are impacted. All versions of the product that rely on the hard\u2011coded machineKey configuration before this date are vulnerable. The flaw is tied to the web stack that includes IIS running ASP.NET, where the machineKey supplies both validation and decryption for ViewState data.", "description_and_impact": "The vulnerability originates from a static ASP.NET/IIS machineKey value used in Digital Knowledge KnowledgeDeliver installations before February\u202f24\u202f2026. Because the key is hard\u2011coded, attackers can forge signed ViewState payloads that bypass the framework\u2019s validation, allowing the injection of malicious objects that are deserialized by the application. This flaw permits remote code execution on the server, making the affected environments highly vulnerable. It falls under CWE\u2011321 and CWE\u2011502.", "risk_and_exploitability": "The flaw offers a straightforward remote exploitation path: an attacker can craft malicious ViewState and send it to any endpoint that accepts ViewState without authentication, bypassing integrity checks and triggering arbitrary code execution. No official patch or workaround is listed, the EPSS score is <\u202f1%, and the vulnerability is not in CISA KEV. The CVSS score of 7.5 indicates high severity, and combined with the low exploitation barrier the risk remains high even though exploit activity has not been tracked publicly."}}}}, "created": "2026-04-16T18:58:26.106264+00:00", "updated": "2026-04-18T19:30:08.945062+00:00", "vendors": ["digital_knowledge", "digital_knowledge$PRODUCT$knowledgedeliver"]}