Cyber Resilience

CVE-2026-6023

HighRCE

Published: 22 April 2026

Published
22 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 41.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6023 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Progress Telerik Ui For Asp.Net Ajax. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6023 is an insecure deserialization vulnerability (CWE-502) affecting the RadFilter control in Progress Telerik UI for AJAX versions 2024.4.1114 through 2026.1.421. The issue arises when the control restores filter state that has been exposed to the client, allowing tampered data to trigger server-side remote code execution. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impact.

A remote attacker without privileges can exploit this vulnerability by tampering with the client-exposed filter state data before it is sent back to the server for deserialization. Successful exploitation requires high attack complexity, such as crafting a malicious payload that bypasses any existing protections during the deserialization process. If successful, the attacker achieves arbitrary remote code execution on the server, potentially leading to full system compromise.

The official Telerik knowledge base advisory at https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023 provides details on mitigation, including recommendations for securing filter state handling and available patches for affected versions. Security practitioners should consult this resource for specific remediation steps.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote…

more

code execution is possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an insecure deserialization flaw in a public-facing web application component (Telerik UI for AJAX RadFilter), enabling remote unauthenticated attackers to achieve arbitrary server-side RCE by tampering with client-exposed filter state data.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-6022Same product: Progress Telerik Ui For Asp.Net Ajax
CVE-2026-7198Same vendor: Progress
CVE-2026-2699Same vendor: Progress
CVE-2025-13774Same vendor: Progress
CVE-2026-7195Same vendor: Progress
CVE-2026-4670Same vendor: Progress
CVE-2025-62368Shared CWE-502
CVE-2025-68903Shared CWE-502
CVE-2025-67911Shared CWE-502
CVE-2025-54014Shared CWE-502

Affected Assets

progress
telerik ui for asp.net ajax
2024.4.1114 — 2026.1.421

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and patching of the insecure deserialization flaw in Telerik UI for AJAX.

prevent

Requires validation of the client-exposed filter state data prior to deserialization to block tampered payloads leading to RCE.

prevent

Enforces restrictions on untrusted filter state inputs to prevent processing of malicious deserialized data from clients.

References