KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value
Summary
| CVE | CVE-2026-5426 |
|---|---|
| State | PUBLISHED |
| Assigner | Mandiant |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-16 16:16:17 UTC |
| Updated | 2026-04-16 16:16:17 UTC |
| Description | Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks |
Risk And Classification
Problem Types: CWE-321 | CWE-502 | CWE-321 CWE-321 Use of hard-coded cryptographic key | CWE-502 CWE-502 Deserialization of untrusted data
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Digital Knowledge | KnowledgeDeliver | affected 20260224 date | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.digital-knowledge.co.jp/product/kd | [email protected] | www.digital-knowledge.co.jp | |
| github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026... | [email protected] | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.