CVE-2026-6023
Published: 22 April 2026
Summary
CVE-2026-6023 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Progress Telerik Ui For Asp.Net Ajax. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and patching of the insecure deserialization flaw in Telerik UI for AJAX.
Requires validation of the client-exposed filter state data prior to deserialization to block tampered payloads leading to RCE.
Enforces restrictions on untrusted filter state inputs to prevent processing of malicious deserialized data from clients.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an insecure deserialization flaw in a public-facing web application component (Telerik UI for AJAX RadFilter), enabling remote unauthenticated attackers to achieve arbitrary server-side RCE by tampering with client-exposed filter state data.
NVD Description
In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote…
more
code execution is possible.
Deeper analysisAI
CVE-2026-6023 is an insecure deserialization vulnerability (CWE-502) affecting the RadFilter control in Progress Telerik UI for AJAX versions 2024.4.1114 through 2026.1.421. The issue arises when the control restores filter state that has been exposed to the client, allowing tampered data to trigger server-side remote code execution. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impact.
A remote attacker without privileges can exploit this vulnerability by tampering with the client-exposed filter state data before it is sent back to the server for deserialization. Successful exploitation requires high attack complexity, such as crafting a malicious payload that bypasses any existing protections during the deserialization process. If successful, the attacker achieves arbitrary remote code execution on the server, potentially leading to full system compromise.
The official Telerik knowledge base advisory at https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023 provides details on mitigation, including recommendations for securing filter state handling and available patches for affected versions. Security practitioners should consult this resource for specific remediation steps.
Details
- CWE(s)