CVE-2026-2878
Predictable ID Vulnerability in Telerik RadAsyncUpload Enables Tampering
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: Progress Software Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| progress | telerik_ui_for_asp.net_ajax | to 2026.1.225 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-331 | The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Progress® Telerik® UI for AJAX versions prior to 2026.1.225, specifically in the RadAsyncUpload component. It is caused by insufficient entropy in generating temporary identifiers, which are predictable because they are based on the timestamp and filename. This predictability can lead to collisions and allow an attacker to tamper with file contents.
How can this vulnerability impact me? :
The vulnerability can impact you by enabling attackers to cause collisions in temporary file identifiers and tamper with the contents of uploaded files. This can compromise the integrity of files being uploaded through the RadAsyncUpload component, potentially leading to unauthorized modification of data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know