AIKIDO-2026-10057

TL;DR

Affected versions of certain Sitecore products may be exposed to a critical configuration vulnerability that can lead to remote code execution and unauthorized access to sensitive information. The issue arises from insecure configuration practices in specific deployment scenarios, particularly in multi-instance environments or when using default or customer-managed static machine keys. If successfully exploited, an attacker could execute arbitrary code remotely or gain access to protected data. This vulnerability potentially impacts Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and certain Managed Cloud deployments, depending on topology, version, and configuration choices. Products such as SitecoreAI, Content Hub, CDP and Personalize, OrderCloud, and others are not affected. Customers using older sample keys, multi-instance deployments, or customer-managed keys are at higher risk and should apply the recommended patches and configuration guidance without delay. Sitecore advises customers and partners to review their environments carefully, ensure they are running security-supported versions, and promptly apply all available security fixes. Additional updates may be provided as further details emerge, and customers are encouraged to monitor future security bulletins for the latest information and guidance from Sitecore.