CVE-2026-5426 PUBLISHED

KnowledgeDeliver deployments before February 24, 2026 use a static ASP.NET/IIS machineKey value

Assigner: Mandiant
Reserved: 02.04.2026 Published: 16.04.2026 Updated: 16.04.2026

Hard-coded ASP.NET/IIS machineKey value in Digital Knowledge KnowledgeDeliver deployments prior to February 24, 2026 allows adversaries to circumvent ViewState validation mechanisms and achieve remote code execution via malicious ViewState deserialization attacks

Product Status

Vendor	Digital Knowledge
Product	KnowledgeDeliver
Versions	Default: unaffected affected from 0 to 20260224 (excl.)

References

https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0009.md
https://www.digital-knowledge.co.jp/product/kd/

Problem Types

CWE-321 Use of hard-coded cryptographic key CWE
CWE-502 Deserialization of untrusted data CWE

Impacts

CAPEC-586 Object Injection