Salesforce Marketing Cloud Engagement Hard-Coded Cryptographic Key Vulnerability Allowing Web Services Protocol Manipulation
Vulnerability
A hard-coded cryptographic key vulnerability has been identified in Salesforce Marketing Cloud Engagement. This issue affects the CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, and View As Webpage modules, prior to January 21, 2026. The vulnerability allows for Web Services Protocol Manipulation.
Impact
Exploitation of this vulnerability could lead to unauthorized manipulation of web services protocols, potentially allowing for unauthorized actions or data modifications within the affected Marketing Cloud Engagement modules.
Remediation
Salesforce has deployed enhanced AES-GCM encryption across the Marketing Cloud Engagement platform. For customers, this deployment was completed on January 21, 2026, at 23:00 UTC. Links generated in emails sent after this date use the new encryption and are not vulnerable to these issues.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.