The Progress Telerik team has confirmed a critical deserialization flaw tracked as CVE-2026-6023, affecting Progress Telerik UI for ASP.NET AJAX versions 2024.4.1114 through 2026.1.225 (2026 Q1).
The vulnerability carries a CVSS score of 8.1, placing it firmly in the High severity tier, and has been classified under CWE-502: Deserialization of Untrusted Data and CAPEC-586: Object Injection.
The flaw specifically targets the RadFilter control, a widely used UI component that filters data grids and data-bound controls in enterprise ASP.NET web applications.
This disclosure follows a pattern of recurring deserialization weaknesses in the Telerik ecosystem. Progress Software previously disclosed similar RCE-enabling deserialization flaws.
Including CVE-2024-1800 in Telerik Report Server and CVE-2019-18935 in an earlier version of Telerik UI for ASP.NET AJAX, demonstrating that unsafe deserialization in complex .NET UI frameworks remains a persistent, high-impact attack surface.
CVE-2026-6023: Telerik AJAX Flaw
At its core, CVE-2026-6023 stems from the RadFilter control’s use of insecure deserialization when restoring its persisted filter state.
When an application uses the RadPersistenceManager with a client-side storage provider, most critically, CookieStateStorageProvider The filter’s serialized state is written to an HTTP cookie, a resource fully under the end user’s control.
When the LoadState() method is subsequently invoked server-side, the application blindly deserializes this cookie data without sufficient validation.
Because .NET deserialization can trigger arbitrary code execution via gadget chains, an attacker who crafts a malicious serialized payload and injects it into the cookie can force the server to execute attacker-controlled code during deserialization.
This maps precisely to CAPEC-586: Object Injection, where an attacker injects a maliciously serialized object to manipulate application behavior at runtime.
Affected Components and Attack Pre-requisites
Only the RadFilter control is vulnerable. Progress has confirmed that other controls using the Persistence Framework, including RadDock, RadGrid, and RadScheduler, employ safe deserialization methods and are not impacted. Exploitation requires all four of the following conditions to be simultaneously true:
- RadFilter is present on the targeted page
- RadPersistenceManager is present on the same page
- A custom storage provider storing state in a cookie (such as
CookieStateStorageProvider) is configured - The
LoadState()method is called, triggering deserialization of the cookie data
Notably, applications using server-side storage providers such as session state, a database, or the file system (including the default AppDataStorageProvider) are not vulnerable, since attackers cannot modify server-side persisted data.
This makes the risk scope-specific but significant: any enterprise ASP.NET application that uses client-side cookie persistence for RadFilter state filtering is directly exposed to it.
The CVSS 8.1 score reflects a practical exploitation scenario requiring no special privileges or authentication beyond the ability to manipulate HTTP cookies, a trivial barrier for any attacker with network access or basic browser developer tools.
Deserialization attacks in .NET environments are well documented; tools like ysoserial.net can automatically generate serialized gadget-chain payloads for known .NET types, dramatically lowering the skill threshold for exploitation.
If successfully exploited, an attacker gains full server-side remote code execution (RCE), potentially enabling lateral movement, data exfiltration, ransomware deployment, or complete application compromise.
Given that Telerik UI for ASP.NET AJAX is deployed across thousands of enterprise ASP.NET web applications globally, including government portals, healthcare systems, and financial platforms, the real-world impact of this vulnerability is broad.
Patch and Remediation
Progress Software has addressed CVE-2026-6023 in the 2026 Q1 SP2 release (version 2026.1.421), published April 22, 2026. The patched version implements safe deserialization within the RadFilter control, neutralizing the object injection attack vector.
| Affected Version Range | Required Update |
|---|---|
| 2024.4.1114 (2024 Q4 SP1) through 2026.1.225 (2026 Q1) | Upgrade to 2026.1.421 (2026 Q1 SP2) or later |
If an immediate upgrade is operationally infeasible, the recommended two interim mitigations are:
- Switch to a server-side storage provider – Reconfigure the
RadPersistenceManagerto persist filter state in the Session, a database, or the file system instead of a client-side cookie. - Remove the custom storage provider entirely – This reverts behavior to the default
AppDataStorageProvider, which stores state on the server file system and is safe from client tampering.
Security teams should also audit all ASP.NET applications in their portfolio for pages that simultaneously use RadFilter, RadPersistenceManager, and CookieStateStorageProviderand prioritize those deployments for immediate patching or workaround implementation.
FAQ
Q1: What is CVE-2026-6023?
It is a high-severity (CVSS 8.1) deserialization vulnerability in Progress Telerik UI for ASP.NET AJAX’s RadFilter control that enables server-side remote code execution via tampered cookie state.
Q2: Which versions of Telerik UI for ASP.NET AJAX are affected?
Versions 2024.4.1114 through 2026.1.225 (2026 Q1) are vulnerable; upgrading to 2026.1.421 (2026 Q1 SP2) or later resolves the issue.
Q3: Is my application at risk if I use the default AppDataStorageProvider?
No, only applications using a client-side cookie storage provider like CookieStateStorageProvider are vulnerable; default server-side storage is safe.
Q4: What is the fastest mitigation if an upgrade isn’t immediately possible?
Switch RadPersistenceManager to a server-side storage provider (session, database, or file system) or remove the custom provider to revert to the safe default.
Site: https://thecybrdef.com
About the Author
