Salesforce Marketing Cloud flaws exposed email data through scripting and weak link encryption
7 min. read 
Published on
Salesforce fixed a set of Marketing Cloud Engagement vulnerabilities that could have exposed email content, subscriber data, and campaign-linked information across the platform. The issues involved unsafe script handling in email templates and weak legacy encryption used in links such as View as a Web Page, CloudPages, Profile Center, Subscription Center, Unsub Center, and Forward to a Friend.
Security researchers at Searchlight Cyber reported that the most serious attack paths could let an attacker read emails sent through Salesforce Marketing Cloud by abusing encrypted query strings and cross-tenant infrastructure. Salesforce says it has not identified confirmed unauthorized access or misuse of customer data linked to the issue.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The flaws have been patched, and Salesforce moved Marketing Cloud Engagement link encryption to AES-GCM. The company also expired older affected links and disabled double evaluation of AMPscript in email subject lines.
What happened
Salesforce Marketing Cloud Engagement, formerly ExactTarget, powers email marketing, campaign automation, subscriber management, and customer communication workflows for large organizations. That makes even a platform-level link or template flaw valuable to attackers.
The first problem involved template injection. Marketing Cloud supports AMPscript and Server-Side JavaScript so companies can personalize email content. If user-supplied fields entered those scripting paths without safe handling, attacker-controlled input could run inside the email rendering process.
The second problem involved encrypted email links. Searchlight Cyber found that Marketing Cloud’s shared infrastructure and legacy encryption formats could allow attackers to manipulate query strings and reach email data tied to other tenants.
At a glance
| Detail | Information |
|---|---|
| Product | Salesforce Marketing Cloud Engagement |
| Researcher | Searchlight Cyber |
| Main risks | Email data exposure, subscriber data exposure, link manipulation, template injection |
| Key weak areas | AMPscript handling, subject line evaluation, encrypted query strings, classic link formats |
| Remediation timeline | Reported on January 16, 2026, with remediation in place by January 24, 2026 |
| Salesforce fix | AES-GCM encryption, expired older links, disabled subject line double evaluation |
| Confirmed misuse | Salesforce has not identified confirmed unauthorized access or misuse |
Why AMPscript became risky
AMPscript helps marketers personalize emails with subscriber names, account details, preferences, and campaign-specific fields. It is powerful because it can pull values, format content, and change what each recipient sees.
That power becomes dangerous when untrusted subscriber input gets evaluated as script. A field such as a name, company, or form response should behave like text, not instructions.
Searchlight Cyber said researchers found vulnerable patterns across major sectors by signing up to mailing lists with payloads in user-controlled fields. That showed how a routine newsletter form could become an entry point when the template later evaluated that field unsafely.
The subject line issue
One of the most practical attack paths involved email subject lines. Salesforce Marketing Cloud historically evaluated AMPscript in subject lines twice in some cases.
That behavior created an unexpected risk. If subscriber data appeared in a subject line, the first pass could insert the subscriber value, while the second pass could treat that inserted value as live AMPscript.
Salesforce had already tried to remove this behavior in 2023, then changed course after customer compatibility concerns. After the Searchlight Cyber disclosure, Salesforce disabled double evaluation of subject line AMPscript again.
The CVEs tied to the fixes
| CVE | Weakness | Affected area | Fixed by |
|---|---|---|---|
| CVE-2026-22585 | Broken or risky cryptographic algorithm | CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View as Webpage | Marketing Cloud Engagement updates before or on January 21, 2026 |
| CVE-2026-22586 | Hard-coded cryptographic key | CloudPages and email link-related modules | Marketing Cloud Engagement updates before or on January 21, 2026 |
| CVE-2026-22582 | Argument injection | MicrositeUrl module | Marketing Cloud Engagement updates before or on January 21, 2026 |
| CVE-2026-22583 | Argument injection | CloudPagesUrl module | Marketing Cloud Engagement updates before or on January 21, 2026 |
| CVE-2026-2298 | Argument injection | Marketing Cloud Engagement | Marketing Cloud Engagement updates before January 30, 2026 |
How weak encryption exposed email viewing links
Marketing Cloud emails often include browser-view links, unsubscribe links, profile links, and CloudPages links. These links carry encrypted query strings so the platform can identify the recipient, email, tenant, and campaign context.
Searchlight Cyber found that the older classic link format used weak cryptography. The researchers also found that Salesforce’s shared infrastructure meant the host name mattered less than the encrypted query string itself.
In practical terms, if an attacker could decrypt, alter, or forge those parameters, they could try to point the platform at different email records. The researchers described paths that moved from a single link to wider email enumeration across tenants.
Why the shared key issue mattered
The most serious finding involved key reuse. Searchlight Cyber said Salesforce Marketing Cloud used a single static shared key across instances for some link handling.
That meant a query string generated or manipulated in one context could work elsewhere. This turned what might have been a tenant-specific issue into a platform-level risk.
The researchers also found an older XOR-based format that still worked even though it was no longer the main modern link format. That legacy path made some attacks faster because it allowed direct encryption and decryption of parameters once the pattern was understood.
What Salesforce changed
- Salesforce deployed AES-GCM encryption across Marketing Cloud Engagement.
- Salesforce expired links created before January 23, 2026 at 21:00 UTC.
- Salesforce disabled double evaluation of AMPscript in email subject lines.
- The company published CVEs for the affected Marketing Cloud Engagement issues.
- Salesforce said it had not identified confirmed unauthorized access or misuse tied to these vulnerabilities.
What Marketing Cloud admins should review
Admins should review templates that use AMPscript, Server-Side JavaScript, TreatAsContent, MicrositeURL, CloudPagesURL, and personalization fields in subject lines. Any user-controlled value should be treated as unsafe input.
Teams should also check downstream systems that store Marketing Cloud links. Salesforce’s move to AES-GCM made encrypted URLs longer, which can break integrations that store URLs in fields with older 255-character limits.
Organizations that archived old campaigns should confirm whether older links still work as expected. Salesforce expired affected legacy links, which may affect browser-view links, CloudPages paths, and other generated URLs in older email campaigns.
Recommended response checklist
- Audit AMPscript and SSJS usage in active email templates.
- Remove unsafe TreatAsContent use around subscriber-controlled values.
- Check subject lines that include personalization fields.
- Test campaigns affected by the end of subject line double evaluation.
- Review CloudPagesURL and MicrositeURL usage in templates.
- Validate that integrations can store longer encrypted URLs.
- Review old View as Webpage, Profile Center, Subscription Center, and Unsub Center links.
- Check logs and campaign activity for unusual link access patterns.
- Rotate secrets or credentials if sensitive data appeared inside exposed email content.
- Train email developers to avoid evaluating subscriber input as code.
Why this matters beyond Salesforce
This incident shows how marketing platforms can become sensitive data systems. Email content may include invoices, account information, loyalty data, medical reminders, travel details, financial notices, or links into customer portals.
It also shows why legacy encryption and backward compatibility can create long-term risk. A format kept alive for old links can remain exploitable years after newer protection becomes available.
For large SaaS platforms, tenant isolation needs to cover more than logins and databases. Link formats, scripting engines, preview pages, and personalization systems can all become paths to cross-tenant data exposure.
FAQ
It was a group of vulnerabilities involving unsafe scripting behavior and weak encrypted link handling in Salesforce Marketing Cloud Engagement.
Salesforce deployed AES-GCM encryption, expired older affected links, disabled subject line double evaluation, and published CVEs for the fixed issues.
The affected areas included CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View as Webpage, MicrositeUrl, CloudPagesUrl, and subject line AMPscript behavior.
Salesforce said it has not identified confirmed unauthorized access or misuse of customer data related to the issue.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages