Cyber Resilience

CVE-2026-22586

Critical

Published: 24 January 2026

Published
24 January 2026
Modified
15 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0061 44.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-22586 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Salesforce Marketing Cloud Engagement. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22586 is a hard-coded cryptographic key vulnerability (CWE-321) in Salesforce Marketing Cloud Engagement, specifically affecting the CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage modules. This flaw enables Web Services Protocol Manipulation and impacts all versions of Marketing Cloud Engagement prior to January 21st, 2026. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its severe potential impacts.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no requirement for user interaction or privileges. Successful exploitation allows adversaries to manipulate web services protocols, resulting in high confidentiality, integrity, and availability impacts on affected systems.

Salesforce has published a security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1, which addresses the issue. Mitigation requires updating to Marketing Cloud Engagement versions released on or after January 21st, 2026.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hard-coded key in public-facing Salesforce Marketing Cloud web modules directly enables remote unauthenticated exploitation of the application for protocol manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22582Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22585Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22583Same product: Salesforce Marketing Cloud Engagement
CVE-2026-22584Same vendor: Salesforce
CVE-2026-26335Shared CWE-321
CVE-2025-11899Shared CWE-321
CVE-2025-15016Shared CWE-321
CVE-2025-62581Shared CWE-321
CVE-2025-57174Shared CWE-321
CVE-2026-6580Shared CWE-321

Affected Assets

salesforce
marketing cloud engagement
≤ 2026-01-21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, testing, and correction of flaws such as this hard-coded cryptographic key vulnerability through vendor patching.

prevent

Mandates establishment and management of cryptographic keys, prohibiting hard-coded keys that enable protocol manipulation.

prevent

Ensures receipt, dissemination, and implementation of vendor security advisories like Salesforce's for this CVE to enable patching.

References