Home

Description

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks

PUBLISHED Reserved 2026-04-02 | Published 2026-04-16 | Updated 2026-05-27 | Assigner Mandiant

Problem types

CWE-321 Use of hard-coded cryptographic key

CWE-502 Deserialization of untrusted data

Product status

Default status
unaffected

Any version before 20260224
affected

References

github.com/...Disclosures/blob/master/2026/MNDT-2026-0009.md third-party-advisory

www.digital-knowledge.co.jp/product/kd/ product

cloud.google.com/...-viewstate-deserialization-vulnerability third-party-advisory

cve.org (CVE-2026-5426)

nvd.nist.gov (CVE-2026-5426)

Download JSON