Salesforce Marketing Cloud Engagement Web Services Protocol Manipulation Vulnerability

A vulnerability allowing Web Services Protocol Manipulation has been identified in Salesforce Marketing Cloud Engagement. This issue arises from the use of a broken or risky cryptographic algorithm and affects several modules, including CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage. The vulnerability was present in Marketing Cloud Engagement prior to January 21, 2026.

Impact

Exploitation of this vulnerability allowed for Web Services Protocol Manipulation, potentially leading to unauthorized actions or data exposure within the affected modules.

Remediation

Salesforce has deployed enhanced AES-GCM encryption across the Marketing Cloud Engagement platform. For customers, this deployment was completed on January 21, 2026, at 23:00 UTC. Links generated in emails sent after this date use the new encryption and are not vulnerable to these issues.