Critical Salesforce Marketing Cloud Flaw Exposed Email Data
Key Takeaways Multiple critical vulnerabilities in Salesforce Marketing Cloud (SFMC) could have allowed unauthorized access to sensitive email data across hundreds of organizations. The flaws stemmed...
Key Takeaways
- Multiple critical vulnerabilities in Salesforce Marketing Cloud (SFMC) could have allowed unauthorized access to sensitive email data across hundreds of organizations.
- The flaws stemmed from insecure scripting features and an outdated, easily crackable encryption method for email viewing links.
- Attackers could have potentially read all past emails sent by any company using the platform, impacting millions of users.
- Salesforce has patched the vulnerabilities, assigned several CVE IDs (CVE-2026-22585, CVE-2026-22586, CVE-2026-22582, CVE-2026-22583, CVE-2026-2298), and confirmed no evidence of exploitation.
- Organizations utilizing SFMC are advised to review email templates and regenerate old email view links.
A series of critical security vulnerabilities within Salesforce Marketing Cloud (SFMC), a widely used email marketing platform, could have led to the widespread exposure of private email data for millions of users across hundreds of organizations. These flaws, now remediated, were rooted in the platform’s embedded scripting capabilities and a legacy encryption method that remained in active use for years.
Table Of Content
At their most severe, these vulnerabilities presented an attacker with the capability to surreptitiously access and read every email ever disseminated by any company leveraging the SFMC platform. A detailed report from published by Searchlight Cyber details the findings.
Salesforce Marketing Cloud, previously known as ExactTarget, stands as a cornerstone in the digital marketing landscape, facilitating mass email communications for numerous enterprises across critical sectors such as aviation, finance, energy, and technology. Its extensive adoption, particularly among Fortune 500 companies, makes it an attractive target for threat actors seeking to harvest vast quantities of customer data through a single, coordinated attack.
Researchers at Searchlight Cyber were responsible for uncovering and reporting these vulnerabilities. Their investigation revealed that the issues primarily revolved around template injection flaws combined with a fundamentally broken encryption scheme used to secure email viewing links. A critical aspect of the vulnerability was SFMC’s shared infrastructure and the use of a single, static encryption key across all its customers. This design flaw meant that a compromise within one tenant could cascade, potentially exposing all other tenants on the same network.
The attack vector typically began with a template injection. This involved malicious user-supplied input, for instance, a script payload embedded within a name field during a newsletter subscription, being executed by the platform’s scripting engine. SFMC supports scripting languages like AMPScript and SSJS, which are used to personalize email content. When user input was not adequately sanitized before being processed by these engines, attackers could inject and execute their own instructions within the email rendering system.
Once injected, the malicious code could rapidly escalate its privileges. Attackers could gain access to SFMC’s internal system tables, enabling them to extract sensitive data such as contact lists, the content of sent emails, SMS records, and click-tracking data from any organization hosted on the platform. Searchlight Cyber researchers successfully demonstrated the feasibility of this attack, confirming vulnerable companies across nearly all major industries simply by signing up to mailing lists with crafted script payloads.
Salesforce Marketing Cloud Vulnerability Details
One of the most pervasive issues identified was the handling of email subject lines within SFMC. The platform, by default, would evaluate AMPScript in subject lines twice before dispatching an email. This double evaluation meant that any subscriber data present in the subject line would be re-processed as live code during the second pass, effectively turning every personalized subject line into a potential entry point for attackers. Developers had no clear indication that this behavior posed a security risk.
Salesforce had previously attempted to eliminate this double evaluation in 2023 but reverted the change due to customer feedback. Following Searchlight Cyber’s disclosure, Salesforce has permanently disabled the double evaluation of AMPScript in subject lines, thereby closing this specific attack vector.
Salesforce has since addressed these vulnerabilities and assigned the following CVE IDs:
- CVE-2026-22585
- CVE-2026-22586
- CVE-2026-22582
- CVE-2026-22583
- CVE-2026-2298
Broken Encryption Enabled Cross-Tenant Email Access
The second critical vulnerability involved the method SFMC used to encrypt query strings embedded in email view links. These links allow recipients to open an email in a web browser. The legacy “classic” format was protected by an XOR cipher with a fixed, repeating key. This encryption method is fundamentally insecure by modern cryptographic standards.
The shared nature of SFMC’s infrastructure meant that a single, static key was utilized globally for all customers. This allowed an attacker, once they managed to crack the encryption of one link, to forge new links capable of accessing emails from any other company on the platform. Researchers demonstrated this using a CBC padding oracle attack, which allowed them to decrypt and re-encrypt query parameters to read emails across different tenants. A more efficient variant of this attack reduced the number of required requests from over ten thousand to merely two per guess, making large-scale data harvesting a technically viable threat.
Salesforce was informed of these issues on January 16, 2026, and swiftly deployed a fix by January 24, 2026. The company implemented AES-GCM encryption, invalidated all email view links created before January 23, 2026, and confirmed that no unauthorized access to customer data had been detected.
What You Should Do
- Audit Email Templates: Review all email templates for any unsafe usage of the
TreatAsContentfunction or other scripting constructs that process user input without proper sanitization. - Review Subject Line Input: Ensure that any user-supplied data flowing into email subject lines is rigorously validated and sanitized to prevent script injection.
- Regenerate Email View Links: Confirm that all active email view links within your SFMC instance have been regenerated under the new, updated encryption scheme. Links created before January 23, 2026, are no longer valid and should be replaced.
- Stay Updated: Regularly check Salesforce security advisories and ensure your SFMC instance is running the latest patched versions.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.