Knowledge Base Article Outline

********** KNOWLEDGE BASE ARTICLE PREVIEW **********

        July 8, 2026 - This will be attached as a file to the customer s early notification alert

        July 22, 2026 - It will become publicly visible in the product s Knowledge Base

 

Description

[Critical Security Bulletin] [July 2026]   CVE-2026-13181, CVE-2026-13182, CVE-2026-13183, CVE-2026-13184, CVE-2026-13185, CVE-2026-13186, CVE-2026-13190

 

        Progress Telerik UI for AJAX 2026 Q2 (2026.2.519) or earlier.

 

Multiple high security vulnerabilities have been confirmed in Telerik UI for ASP.NET AJAX affecting the RadAsyncUpload, RadPersistenceManager, and RadDockLayout components. When chained together, these vulnerabilities can allow an unauthenticated remote attacker to achieve Remote Code Execution (RCE) on the server hosting the application. This article describes the combined attack chain, its impact, and the actions required to remediate or mitigate the risk.

What Are the Symptoms?

There are no visible symptoms. These vulnerabilities can be exploited silently without causing application errors visible to the application owner. Successful exploitation leaves no obvious trace in standard ASP.NET error logs.

What Are the Impacts?

An unauthenticated remote attacker who successfully exploits this vulnerability chain can execute arbitrary code on the web server with the privileges of the application pool identity. This may result in full server compromise, data exfiltration or further lateral movement within the hosting environment.

 

Affects

Component 

Affected Version 

Fixed Version 

RadAsyncUpload 

>= 2010.1.309 & <= 2026.2.519 

>= 2026.2.708 (2026 Q2 SP1) 

RadPersistenceManager 

>= 2013.1.220 & <= 2026.2.519 

>= 2026.2.708 (2026 Q2 SP1) 

RadDockLayout 

>= 2013.1.220 & <= 2026.2.519 

>= 2026.2.708 (2026 Q2 SP1) 

 

Our only official recommendation is to upgrade to the patched release following the Upgrade to a Newer Version documentation. If you cannot upgrade immediately, visit the Mitigation section for temporary mitigation options.

 

If you have any questions or concerns related to this issue, please log in to open a new Technical Support case. If your version is no longer supported as part of the Telerik UI for ASP.NET AJAX Release History, you should upgrade to a supported and fixed version.

 

Issue

        CWE-326: Inadequate Encryption Strength

        CWE-502: Deserialization of Untrusted Data

        CWE-22: Improper Limitation of a Pathname ('Path Traversal')

 

In Progress Telerik UI for ASP.NET AJAX before version 2026.2.708 (2026 Q2 SP1), multiple vulnerabilities in RadAsyncUpload, RadPersistenceManager and RadDockLayout can be combined by an unauthenticated remote attacker to achieve Remote Code Execution on the server. 

 

 

Solution

 

We have addressed the vulnerabilities and the Progress Telerik team strongly recommends performing an upgrade to the latest version listed in the table above.

 

For all customers on a current maintenance agreement, the upgrade can be accessed by logging into the Product Downloads | Your Account. Customers that are not on a current maintenance agreement should contact a Progress account representative.

 

To confirm your current version of Telerik UI for ASP.NET AJAX, open your project in Visual Studio and check the version of Telerik.Web.UI.dll in the References, or see How to determine which version of Telerik UI for ASP.NET AJAX you are using.

 

Mitigation

 

If you cannot upgrade immediately, apply all applicable mitigations from the checklist below.

 

# 

Check 

Applies to 

customErrors is RemoteOnly or On in Web.config 

All apps with RadAsyncUpload 

Telerik.AsyncUpload.ConfigurationEncryptionKey is set to a strong unique value 

All apps with RadAsyncUpload 

Telerik.Upload.ConfigurationHashKey is set to a strong unique value 

All apps with RadAsyncUpload 

Telerik.Web.UI.DialogParametersEncryptionKey is set to a strong unique value 

Apps using Editor/FileExplorer dialogs 

RadPersistenceManager does not use CookieStateStorageProvider; RadDockLayout.LayoutPersistenceRepositoryType is not Cookies 

Apps using PersistenceFramework 

StorageProviderKey is not derived from Request data 

Apps using AppDataStorageProvider 

Telerik.AsyncUpload.TemporaryFolder points outside App_Data (defense-in-depth) 

Apps with both RadAsyncUpload and RadPersistenceManager 

 

This is intended as a temporary stopgap until you can update the application to use the new release, do not rely on mitigation as a long-term strategy.

 

Mitigation 1 -- Set customErrors to RemoteOnly or On

 

<system.web>

    <customErrors mode="RemoteOnly" />

</system.web>

 

Mitigation 2 & 3 -- Set strong encryption and hash keys

 

<appSettings>

    <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey"

       value="YOUR_STRONG_RANDOM_KEY_HERE_62_CHARS_MIN" />

    <add key="Telerik.Upload.ConfigurationHashKey"

       value="YOUR_STRONG_RANDOM_HASH_KEY_HERE" />

    <add key="Telerik.Web.UI.DialogParametersEncryptionKey"

       value="YOUR_STRONG_RANDOM_DIALOG_KEY_HERE" />

</appSettings>

 

See Mandatory web.config settings for requirements and key generation guidance.

 

Mitigation 4 -- Optional: disable the upload handler if not in use

 

<appSettings>

    <add key="Telerik.Web.DisableAsyncUploadHandler" value="true" />

</appSettings>

 

Mitigation 5 -- Do not use cookie-based persistence storage

 

For RadPersistenceManager -- remove any CookieStateStorageProvider configuration. The default AppDataStorageProvider is safe:

 

// Page_Init

PersistenceManager1.StorageProvider =

    new AppDataStorageProvider(Server.MapPath("~/App_Data/PersistenceState/"));

 

For RadDockLayout -- ensure LayoutPersistenceRepositoryType is not Cookies:

 

RadDockLayout1.LayoutPersistenceRepositoryType =

    DockLayoutPersistenceRepository.FileSystem;

 

Mitigation 6 -- Do not derive StorageProviderKey from user input

 

// UNSAFE -- never do this 

// PersistenceManager1.StorageProviderKey = Request.QueryString["userId"];

 

// Safe -- hardcoded key

PersistenceManager1.StorageProviderKey = "my-app-persistence-state";

The default key (TelerikAspNetRadControlsPersistedState) is safe if you have not overridden it.

 

Mitigation 7 -- Move RadAsyncUpload temp folder outside App_Data (defense-in-depth)

<appSettings>

    <add key="Telerik.AsyncUpload.TemporaryFolder" value="~/UploadTemp" />

</appSettings>

 

Create the folder manually and grant write permissions to the application pool identity. This is defense-in-depth only -- always apply Mitigation 6 first.

 

Notes

        If you have any questions or concerns related to this issue, open a new Technical Support case in Your Account | Support Center. Technical Support is available to customers with an active support plan.

        We would like to thank TantoSec (Marcio Almeida, Justin Steven) and CODE WHITE GmbH (Markus Wulftange) for responsibly disclosing these vulnerabilities and assisting in their resolution.

 

External References

 

Related CVEs

 

The following individual vulnerabilities contribute to the chained RCE scenario described above. Each has a dedicated KB article with per-vulnerability details.

CVE-2026-13181 (High) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS: 8.1 / High

In Progress Telerik UI for AJAX prior to v2026.2.708, forged upload metadata can influence AsyncUploadTypeName processing and trigger unsafe attacker-controlled type resolution.

Discoverer Credit: Marcio Almeida of TantoSec

CVE-2026-13182 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS: 7.5 / High

In Progress Telerik UI for AJAX prior to v2026.2.708, RadAsyncUpload client-state processing can distinguish decrypt failures from invalid-JSON parse failures, enabling a padding oracle that may be used to forge valid encrypted payloads.

Discoverer Credit: Marcio Almeida of TantoSec

CVE-2026-13183 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS: 7.5 / High

In Progress Telerik UI for AJAX prior to v2026.2.708, RadAsyncUpload upload metadata processing may leak cryptographic validity through measurable timing differences, enabling a timing oracle that may be used to forge valid encrypted payloads.

Discoverer Credit: Justin Steven and Marcio Almeida of TantoSec

CVE-2026-13184 (High) CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS: 7.5 / High

In Progress Telerik UI for AJAX prior to v2026.2.708, when Telerik.Upload.ConfigurationHashKey is absent and machineKey is not explicitly configured, upload metadata integrity protection may fall back to a predictable default key, enabling attackers to forge protected upload metadata and unlock further exploit chains.

Discoverer Credit: Marcio Almeida of TantoSec

CVE-2026-13185 (High) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H 

CVSS: 8.1 / High

In Progress Telerik UI for AJAX prior to v2026.2.708, applications using cookie-based storage in RadPersistenceManager or RadDockLayout deserialize attacker-controlled persistence state via unsafe type resolution, which can lead to remote code execution.

Discoverer Credit: Markus Wulftange of CODE WHITE GmbH

CVE-2026-13186 (High) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS: 8.1 / High

In Progress Telerik UI for AJAX prior to v2026.2.708, a path traversal vulnerability in the file-based persistence storage provider can be exploited when the storage key is derived from user-controlled input, enabling loading of attacker-uploaded files into the deserialization pipeline.

Discoverer Credit: Markus Wulftange of CODE WHITE GmbH

CVE-2026-13190 (High) CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS: 8.1 / High

In Progress Telerik UI for AJAX prior to v2026.2.708, a deserialization vulnerability in the persistence utilities allows unsafe type instantiation from attacker-influenced persisted state, which can lead to remote code execution.

Discoverer Credit: Progress Telerik Security Team