CVE-2026-6023

CVE-2026-6023 is an insecure deserialization vulnerability (CWE-502) affecting the RadFilter control in Progress Telerik UI for AJAX versions 2024.4.1114 through 2026.1.421. The issue arises when the control restores filter state that has been exposed to the client, allowing tampered data to trigger server-side remote code execution. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete confidentiality, integrity, and availability impact.

A remote attacker without privileges can exploit this vulnerability by tampering with the client-exposed filter state data before it is sent back to the server for deserialization. Successful exploitation requires high attack complexity, such as crafting a malicious payload that bypasses any existing protections during the deserialization process. If successful, the attacker achieves arbitrary remote code execution on the server, potentially leading to full system compromise.

The official Telerik knowledge base advisory at https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-deserialization-of-untrusted-data-cve-2026-6023 provides details on mitigation, including recommendations for securing filter state handling and available patches for affected versions. Security practitioners should consult this resource for specific remediation steps.