Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.
The vulnerability results from the use of a static cryptographic key hardcoded into the code in several platform modules: CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage. An attacker, knowing or reproducing this key, can manipulate communication based on Web Services Protocol Manipulation. Since the key is shared across all installations, its compromise affects potentially all users using vulnerable modules. The attack requires no authentication or user interaction.
An attacker can gain full control over the confidentiality, integrity, and availability of data processed by vulnerable modules, which may lead to unauthorized reading, modification, or deletion of marketing and customer data.
Salesforce released a patch dated January 21, 2026. Ensure that the Marketing Cloud Engagement environment has been updated to a version after this date. Detailed information is available in the Salesforce technical support article referenced (ID: 005299346). It is also recommended to verify access logs to vulnerable modules to detect any potential unauthorized access attempts.
Salesforce Marketing Cloud Engagement in all versions released before January 21, 2026, in the modules: CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSalesforce Marketing Cloud Engagement
APPSalesforce< 2026-01-21
Related vulnerabilities
Argument Injection w Salesforce Marketing Cloud Engagement (MicrositeUrl)
Argument Injection w Salesforce Marketing Cloud Engagement (CloudPagesUrl)
Salesforce Marketing Cloud Engagement — słaby algorytm kryptograficzny (RCE-class)
Code Injection w Salesforce Uni2TS — zdalne wykonanie kodu
MuleSoft is aware of a Remote Code Execution vulnerability affecting certain versions of a Mule runtime compon...