Cyber Resilience

CVE-2026-5426

CriticalRCE

Published: 16 April 2026

Published
16 April 2026
Modified
26 May 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0101 58.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-5426 is a critical-severity Use of Hard-coded Cryptographic Key (CWE-321) vulnerability in Google (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-12 (Cryptographic Key Establishment and Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5426 involves a hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026. This cryptographic weakness, published on 2026-04-16, enables adversaries to bypass ViewState validation mechanisms, facilitating remote code execution through malicious ViewState deserialization attacks. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-321 (Use of Hard-coded Cryptographic Key) and CWE-502 (Deserialization of Untrusted Data).

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no authentication, privileges, or user interaction. Successful exploitation allows unauthenticated adversaries to submit crafted malicious ViewState data, circumventing validation due to the static machineKey and achieving arbitrary remote code execution on the targeted server, primarily impacting confidentiality.

Mitigation guidance is available in the Mandiant vulnerability disclosure at https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md and on the vendor's Digital Knowledge KnowledgeDeliver product page at https://www.digital-knowledge.co.jp/product/kd/. Deployments prior to February 24, 2026 remain vulnerable, indicating that updates released on or after that date address the hard-coded key issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hard-coded machineKey enables unauthenticated remote exploitation of public-facing ASP.NET/IIS web app for RCE via ViewState deserialization, directly mapping to T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22586Shared CWE-321
CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502
CVE-2026-22505Shared CWE-502
CVE-2025-53078Shared CWE-502
CVE-2026-43633Shared CWE-502
CVE-2025-60039Shared CWE-502
CVE-2026-25429Shared CWE-502

Affected Assets

Google
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the hard-coded machineKey flaw by identifying, reporting, and applying vendor updates released on or after February 24, 2026.

prevent

Establishes and manages cryptographic keys securely, prohibiting hard-coded keys that enable ViewState validation bypass.

prevent

Validates untrusted inputs like ViewState data to mitigate deserialization attacks even if cryptographic weaknesses exist.

References