A critical (CVSS 10.0) incorrect authorization vulnerability in Adobe Campaign Classic could allow unauthenticated attackers to execute arbitrary code over the network without any user interaction.
What Is It
CVE-2026-48286 is an Incorrect Authorization vulnerability (CWE-863) in Adobe Campaign Classic (ACC). According to Adobe's advisory, the flaw could result in arbitrary code execution in the context of the current user. Exploitation does not require user interaction, and the vulnerability's scope is changed; meaning a successful attack can affect resources beyond the initially vulnerable component.
Why It Matters
This carries the maximum CVSS 3.1 base score of 10.0 (CRITICAL). The vector, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, describes a network-exploitable flaw with low attack complexity, requiring no privileges and no user interaction, with high confidentiality, integrity, and availability impact. The exploitability sub-score is 3.9, the maximum possible. A changed scope combined with unauthenticated remote code execution makes this an especially high-priority issue for any organization running affected ACC deployments.
What's Vulnerable
Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected. The vulnerability was published by Adobe's PSIRT on 2026-06-30 and is currently listed by NVD as "Undergoing Analysis."
Patch Status
Adobe has published a security advisory (APSB26-69) addressing this vulnerability. Organizations running affected ACC versions should consult that advisory and update to a fixed release. There is no CISA KEV entry supplied for this CVE, so active exploitation is not confirmed in the source material provided.
Sources
- Adobe Security Bulletin APSB26-69; https://helpx.adobe.com/security/products/campaign/apsb26-69.html
- NVD, CVE-2026-48286, https://nvd.nist.gov/vuln/detail/CVE-2026-48286