Mid-January 2026 brought email marketers an unwelcome surprise: critical vulnerabilities in Salesforce Marketing Cloud Engagement forced the platform to expire every link generated before 21 January, effectively bricking the archives of billions of marketing emails overnight. High-stakes security, global deliverability failure, and a regulatory “Catch-22” – all in a week.
The vulnerabilities: CVE-2026-22582, CVE-2026-22583, and CVE-2026-22586 exposed argument injection flaws and hard-coded cryptographic keys across multiple Marketing Cloud modules, including CloudPages, unsubscribe centers, and click tracking. Every Marketing Cloud instance worldwide was affected until Salesforce rolled out an encryption upgrade on 21 January.
The Fix That Broke Everything
Salesforce’s remediation involved migrating all link encryption to AES-GCM, an authenticated encryption mode that provides both confidentiality and integrity verification. It is technically sound, but AES-GCM isn’t backward compatible with the old encryption scheme. Salesforce faced a brutal choice: keep serving potentially vulnerable legacy links, or kill them all.
They chose the latter. On 23 January, every Marketing Cloud link generated before the upgrade started returning a generic error page. Unsubscribe links, profile management links, view-as-webpage links—all dead. The company maintains it hasn’t identified any confirmed unauthorized access to customer data, but that is cold comfort for marketers watching their evergreen campaigns turn into digital paperweights.
When Security Meets Microsoft: A 99% Bounce Rate
The situation moved from frustrating to catastrophic over the weekend. The new AES-GCM encryption more than doubled URL lengths—jumping from roughly 180–255 characters to as many as 580 characters. According to community reports, these bloated URLs triggered an unexpected deliverability disaster with Microsoft mail servers.
When Marketing Cloud messages containing these long list-unsubscribe headers hit Outlook, Hotmail, or Live.com, Microsoft’s servers—relying on legacy processing rules—inserted line breaks at 999-character boundaries. This altered the message body and broke the DKIM signature. Marketers in SFMC forums reported bounce rates approaching 99% on Microsoft domains until Salesforce re-engineered the header formatting on 25 January. Four days of near-total failure on one of the world’s largest mailbox providers isn’t a hiccup; it’s a failure of platform-level testing.
The Compliance Catch-22
The forced link expiration created a legal headache that would make any compliance officer wince. CAN-SPAM and GDPR both require functioning unsubscribe mechanisms. Salesforce justified the mass expiration by citing GDPR Article 32, which prioritizes the security of processing over the availability of a specific link.
The “workaround” provided, a custom redirect feature letting administrators define a global landing page for expired links – is a very blunt instrument. It can’t distinguish between a “shop now” link and an unsubscribe link, forcing marketers to choose between a broken user experience or a potential compliance violation.
The New Reality
The operational fallout lands on marketing teams, not the platform. For those running Marketing Cloud, the tasks are clear: resend evergreen campaigns, update data schemas to handle longer URLs, and audit every integration for truncation issues. Salesforce now recommends a maximum 60-day lifetime for encrypted links, a far cry from the “forever” links the industry once relied on and some argue GDPR requires (although there is no tome explicitly stated). It is also only just enough to ensure CASL compliance.
When security and convenience clash, security wins. Every time. And you’ll be the one explaining to stakeholders why the last six months of emails just stopped working.
Subscribe to platform trust notifications. Audit your evergreen campaigns. Have an incident response plan. Because the next “Great Reset” won’t send you a calendar invite.
Analysis and ‘fix’ sourced from Vantage Point Security Research
