Threats

Salesforce Marketing Cloud Vulnerability Exposed Email Data

Serious security vulnerabilities within Salesforce Marketing Cloud (SFMC) could have allowed unauthorized access to and exposure of private email data for millions of users across hundreds of...

Sarah simpson
Sarah simpson
May 6, 2026 3 Min Read
1 0

Serious security vulnerabilities within Salesforce Marketing Cloud (SFMC) could have allowed unauthorized access to and exposure of private email data for millions of users across hundreds of organizations. A new <a href="https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/11146061/df

The flaws, now patched, were rooted in the platform’s built-in scripting features and a decades-old encryption method that was never properly retired.

At their worst, these vulnerabilities gave a bad actor the ability to silently read every email ever sent by any company on the entire platform.

Salesforce Marketing Cloud, formerly known as ExactTarget, is one of the most widely used email marketing platforms in the world. It powers bulk email campaigns for companies across nearly every major industry, including aviation, finance, energy, and technology.

Its presence across Fortune 500 companies makes it an especially valuable target for anyone looking to harvest large volumes of customer data in a single, well-timed operation.

Researchers at Searchlight Cyber discovered and reported the vulnerabilities, which centered on a combination of template injection flaws and a broken encryption scheme protecting email viewing links.

Since the platform uses a single shared infrastructure and a single static encryption key for all customers, a flaw in one tenant could silently expose every other tenant on the same network.

The attack began with template injection, where user-supplied input, such as a name typed during a newsletter sign-up, could be executed as code by the platform’s scripting engine. SFMC supports scripting languages called AMPScript and SSJS, both used to personalize email content.

When user input was not sanitized before passing through these engines, attackers could run their own instructions inside the email rendering system.

From there, the damage escalated quickly. By accessing internal system tables inside SFMC, an attacker could extract contact lists, sent email content, SMS records, and click tracking data from any organization on the platform.

Researchers confirmed they found vulnerable companies across virtually every major sector by simply signing up to mailing lists with script payloads embedded in the name field.

Salesforce Marketing Cloud Vulnerability

One of the most widespread issues came from how SFMC handled email subject lines. By default, the platform evaluated AMPScript in subject lines twice before sending.

This meant that if subscriber data appeared anywhere in the subject line, the second evaluation pass would treat it as live code and execute it. A developer had no obvious reason to suspect danger, yet this behavior turned every personalized subject line into a potential entry point.

Salesforce had tried to remove this double evaluation behavior in 2023 but reversed course after customer pushback. Following the Searchlight Cyber disclosure, the platform permanently disabled double evaluation of subject line AMPScript, closing this attack vector for good.

Besides this, Salesforce fixed the vulnerabilities and assigned them with the following CVE IDs:-

  • CVE-2026-22585
  • CVE-2026-22586
  • CVE-2026-22582
  • CVE-2026-22583
  • CVE-2026-2298

Broken Encryption Enabled Cross-Tenant Email Access

The second major vulnerability involved how SFMC encrypted the query strings inside email view links, which allow recipients to open an email in a browser. The most widely used “classic” format was protected by an XOR cipher with a fixed, repeating key, which is not considered secure by any modern standard.

Because SFMC used a single static key shared across all customers globally, cracking one link gave an attacker the ability to forge new ones targeting emails from any company on the platform.

Using a technique called a CBC padding oracle attack, researchers decrypted and re-encrypted query parameters to read emails across different tenants.

In a faster variant, the number of required requests dropped from over ten thousand to just two per guess, making large-scale data harvesting technically feasible.

Salesforce was notified on January 16, 2026, and deployed a fix by January 24, 2026. The company rolled out AES-GCM encryption, expired all links created before January 23, 2026, and confirmed no unauthorized access to customer data had been identified.

Organizations using SFMC should audit email templates for unsafe use of the TreatAsContent function, review user input flowing into subject lines, and ensure all active email view links have been regenerated under the updated encryption scheme.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEPatchSecurityVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts