Introduction
Knowledge Base
Knowledge Base / Deserialization of Untrusted Data Vulnerability (CVE-2026-6023)
New to Telerik UI for ASP.NET AJAXStart a free 30-day trial

Deserialization of Untrusted Data Vulnerability (CVE-2026-6023)

Updated on Apr 22, 2026

Description

April 2026 - CVE-2026-6023

  • Progress® Telerik® UI for AJAX 2026 Q1 (2026.1.225) or earlier.

What Are the Impacts

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.

Issue

  • CWE-502: Deserialization of Untrusted Data
  • CAPEC-586: Object Injection

Affected Components

Only RadFilter is affected. Safe deserialization is used with the other controls that support the Persistence Framework (such as RadDock, RadGrid, RadScheduler, etc.) and are not vulnerable to this issue.

Prerequisites for Exploitation

The vulnerability is exploitable only when the persisted filter state is exposed to an attacker. The primary risk is using CookieStateStorageProvider, which stores the state in an HTTP cookie that the attacker can tamper with.

All of the following conditions must be met:

  1. RadFilter is present on the page
  2. RadPersistenceManager is present on the page
  3. A custom storage provider that stores the state in a cookie is configured (e.g. CookieStateStorageProvider)
  4. The LoadState() method is called, which loads the state from the cookie

Storage providers that keep the state server-side (session, database, file system) are not affected, as the attacker cannot modify the persisted data. The default provider (AppDataStorageProvider) stores state on the server file system and is safe.

Solution

We have addressed the issue and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.

Current VersionUpdate to
>= 2024.4.1114 (2024 Q4 SP1) && <= 2026.1.225 (2026 Q1)>= 2026.1.421 (2026 Q1 SP2)

Follow the update instructions for precise instructions. All customers who have a license for Progress® Telerik® UI for AJAX can access their downloads here Product Downloads | Your Account.

Mitigation

If an immediate upgrade is not possible, apply one of the following workarounds:

  • Change the custom storage provider to store state server-side — in the Session, a database, or the file system. See Custom Storage Provider for implementation details.

  • Remove the custom storage provider entirely — this will revert to the default AppDataStorageProvider, which stores state on the server file system and is not exposed to the client.

Notes

  • If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to customers with an active support plan.

External References

CVE-2026-6023 (High)

CVSS: 8.1

In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if the state is exposed to the client. If an attacker tampers with this state, a server-side remote code execution is possible.

In this article
DescriptionWhat Are the ImpactsIssueAffected ComponentsPrerequisites for ExploitationSolutionMitigationNotesExternal References
Not finding the help you need?
Contact Support