CVE-2026-22586

Critical

Published: 24 January 2026

Published

24 January 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0002 6.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22586 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Salesforce Marketing Cloud Engagement. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, testing, and correction of flaws such as this hard-coded cryptographic key vulnerability through vendor patching.

SC-12 Cryptographic Key Establishment and Management good match

prevent

Mandates establishment and management of cryptographic keys, prohibiting hard-coded keys that enable protocol manipulation.

SI-5 Security Alerts, Advisories, and Directives good match

prevent

Ensures receipt, dissemination, and implementation of vendor security advisories like Salesforce's for this CVE to enable patching.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Hard-coded key in public-facing Salesforce Marketing Cloud web modules directly enables remote unauthenticated exploitation of the application for protocol manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026.

Deeper analysisAI

CVE-2026-22586 is a hard-coded cryptographic key vulnerability (CWE-321) in Salesforce Marketing Cloud Engagement, specifically affecting the CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage modules. This flaw enables Web Services Protocol Manipulation and impacts all versions of Marketing Cloud Engagement prior to January 21st, 2026. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), classifying it as critical due to its severe potential impacts.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no requirement for user interaction or privileges. Successful exploitation allows adversaries to manipulate web services protocols, resulting in high confidentiality, integrity, and availability impacts on affected systems.

Salesforce has published a security advisory at https://help.salesforce.com/s/articleView?id=005299346&type=1, which addresses the issue. Mitigation requires updating to Marketing Cloud Engagement versions released on or after January 21st, 2026.