Uncontrolled Resource Consumption Vulnerability (CVE-2026-6022)
Description
April 2026 - CVE-2026-6022
- Progress® Telerik® UI for AJAX 2026 Q1 2026.1.216 or earlier.
What Are the Impacts
In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.
Issue
- CWE-400: Uncontrolled Resource Consumption
- CAPEC‑572: Artificially Inflate File Sizes
Solution
We have addressed the issue and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table below.
| Current Version | Update to |
|---|---|
>= 2011.2.712 && <= 2026.1.216 (2026 Q1 SP1) | >= 2026.1.421 (2026 Q1 SP2) |
Follow the update instructions for precise instructions. All customers who have a license for Progress® Telerik® UI for AJAX can access their downloads here Product Downloads | Your Account.
Mitigation
If an immediate upgrade is not possible, apply the following measures to reduce risk.
These measures significantly reduce exposure and are effective as interim protection. For complete coverage, upgrade to the latest version at your earliest convenience.
1. Disable the default handler endpoint
The most important step is to disable the default async upload handler by adding the following appSetting. This closes the vulnerable Telerik.Web.UI.WebResource.axd?type=rau endpoint and is required regardless of whether your application uses file uploads:
<appSettings>
<add key="Telerik.Web.DisableAsyncUploadHandler" value="true" />
</appSettings>With this setting in place, the default handler returns HTTP 404 for all requests. If your application does not use RadAsyncUpload, no further action is needed.
If your application relies on RadAsyncUpload, continue with mitigation #2 to restore upload functionality through a protected custom handler.
2. Custom handler with cumulative size enforcement
If your application requires chunked uploads to remain functional, replace the default handler with a custom handler that validates the actual accumulated file size on disk before each chunk is written. This approach enforces MaxFileSize server-side, regardless of what the client declares. The custom handler uses its own URL and is not affected by the DisableAsyncUploadHandler setting from step 1.
Step 1. Create a helper class to store the upload configuration in the session:
// ~/App_Code/SessionUploadConfig.cs
public class SessionUploadConfig
{
public const string SessionKey = "CustomUploadConfigurationKey";
public int MaxFileSize { get; set; }
public string TemporaryFolder { get; set; }
}Step 2. Create the custom handler that checks cumulative file size before delegating to the default handler:
<!-- ~/CustomAsyncUploadHandler.ashx -->
<%@ WebHandler Language="C#" Class="CustomAsyncUploadHandler" CodeBehind="~/App_Code/CustomAsyncUploadHandler.cs" %>// ~/App_Code/CustomAsyncUploadHandler.cs
using System;
using System.IO;
using System.Web;
using System.Web.SessionState;
using Telerik.Web.UI;
using Telerik.Web.UI.AsyncUpload;
public class CustomAsyncUploadHandler : IHttpHandler, IRequiresSessionState
{
public void ProcessRequest(HttpContext context)
{
if (context.Request["type"] == null || context.Request["type"] != "rau")
{
WriteJsonResponse(context, @"{ ""error"" : ""Invalid Request Type."" }");
return;
}
SessionUploadConfig customConfig = context.Session[SessionUploadConfig.SessionKey] as SessionUploadConfig;
if (customConfig == null)
{
WriteJsonResponse(context, @"{ ""error"" : ""Invalid Upload Configuration."" }");
return;
}
if (customConfig.MaxFileSize != 0)
{
ChunkMetaData metaData = new System.Web.Script.Serialization.JavaScriptSerializer()
.Deserialize<ChunkMetaData>(context.Request["metadata"]);
if (metaData == null)
{
WriteJsonResponse(context, @"{ ""error"" : ""Invalid Upload Metadata."" }");
return;
}
string tempFilePath = context.Server.MapPath(
Path.Combine(customConfig.TemporaryFolder, metaData.UploadID));
if (File.Exists(tempFilePath))
{
long existingFileSize = new FileInfo(tempFilePath).Length;
UploadedFile uploadedFile = UploadedFile.FromHttpPostedFile(context.Request.Files[0]);
long incomingFileSize = uploadedFile.ContentLength;
if (existingFileSize + incomingFileSize > customConfig.MaxFileSize)
{
File.Delete(tempFilePath);
WriteJsonResponse(context, @"{ ""invalidFileSize"" : true }");
return;
}
}
}
// Pre-validation passed — delegate to the default handler
AsyncUploadHandler uploadHandler = new AsyncUploadHandler();
uploadHandler.ProcessRequest(context);
}
private void WriteJsonResponse(HttpContext context, string json)
{
context.Response.StatusCode = 400;
context.Response.ContentType = "application/json";
context.Response.Write(json);
}
public bool IsReusable { get { return false; } }
}Step 3. Configure RadAsyncUpload to use the custom handler and store the configuration in the session:
// Default.aspx.cs (or your page code-behind)
protected void Page_Init(object sender, EventArgs e)
{
RadAsyncUpload1.HttpHandlerUrl = "~/CustomAsyncUploadHandler.ashx";
RadAsyncUpload1.MaxFileSize = 5 * 1024 * 1024; // 5 MB
Session[SessionUploadConfig.SessionKey] = new SessionUploadConfig
{
MaxFileSize = RadAsyncUpload1.MaxFileSize,
TemporaryFolder = RadAsyncUpload1.TemporaryFolder
};
}3. Constrain request sizes (web.config + IIS)
As an additional hardening measure, reduce maxRequestLength and executionTimeout in web.config to the smallest values acceptable for your application. This limits the size of each individual HTTP request (including each chunk), slowing or capping the amount of data an attacker can deliver per request:
<configuration>
<system.web>
<!-- maxRequestLength is in KB; 10240 = 10 MB -->
<httpRuntime maxRequestLength="10240" executionTimeout="120" />
</system.web>
<system.webServer>
<security>
<requestFiltering>
<!-- maxAllowedContentLength is in bytes; 10485760 = 10 MB -->
<requestLimits maxAllowedContentLength="10485760" />
</requestFiltering>
</security>
</system.webServer>
</configuration>
maxRequestLengthapplies per-request and does not prevent cumulative accumulation across multiple chunked requests. Pair it with the disk-level controls below.
4. Apply disk quotas on the temporary upload folder
Set an NTFS disk quota or a folder size limit on the TempTargetFolder (default: ~/App_Data/RadUploadTemp). This enforces a hard cap on disk consumption regardless of how many chunks are uploaded:
- Windows NTFS Quotas — Configure via Disk Management > Properties > Quota for the application pool identity.
- File Server Resource Manager (FSRM) — Create a quota on the specific temp folder path.
5. Web Application Firewall (WAF) / rate-limiting
As a general best practice, apply rate-limiting rules on the upload handler endpoint to throttle or block a high volume of sequential chunk requests from a single source. Any endpoint that writes to disk should be rate-limited to prevent abuse, regardless of this specific vulnerability.
Rate-limit the active endpoint in your application:
/Telerik.Web.UI.WebResource.axd?type=rau— the default handler (if you have not applied mitigation #1)/CustomAsyncUploadHandler.ashx— the custom handler (if you are using mitigation #2)
Notes
- If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to customers with an active support plan.
- We would like to thank the team at the Monetary Authority of Singapore for their responsible disclosure and cooperation.
External References
CVE-2026-6022 (High)
CVSS: 7.5
In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.