SYS::ONLINE
Wasteland.
Briefs1204
Issues19
SinceFeb 2026
LIVE
⚡ Active KEV CVE-2026-48321 2026-07-14

CVE-2026-48321: Critical Authorization Flaw in Adobe ColdFusion Enables Privilege Escalation

"Adobe has disclosed a critical incorrect-authorization vulnerability in ColdFusion that lets an unauthenticated attacker on an adjacent network escalate privileges and gain unauthorized read and write access without any…"

Adobe has disclosed a critical incorrect-authorization vulnerability in ColdFusion that lets an unauthenticated attacker on an adjacent network escalate privileges and gain unauthorized read and write access without any user interaction.

What Is It

CVE-2026-48321 is an Incorrect Authorization vulnerability (CWE-863) in Adobe ColdFusion that can result in privilege escalation. An attacker could leverage the flaw to gain unauthorized read and write access. Exploitation does not require user interaction, and the vulnerability's scope is changed; meaning the impact can extend beyond the vulnerable component. It carries a CVSS 3.1 base score of 9.3 (CRITICAL), with the vector AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.

Why It Matters

The combination of no required privileges, no user interaction, and a changed scope makes this an attractive target. An attacker who reaches an adjacent network can achieve both confidentiality and integrity impact rated HIGH, reading and writing data they should not be able to touch. ColdFusion is a long-standing target for attackers, and authorization bypasses that grant read/write access are frequently chained into deeper compromise. No public evidence of active exploitation was supplied with this record.

What's Vulnerable

The following Adobe ColdFusion releases are affected:

The vulnerability is remotely reachable over an adjacent network (AV:A) with low attack complexity.

Patch Status

Adobe has published fixed releases. Administrators should upgrade to ColdFusion 2025 update 11 or ColdFusion 2023 update 22, which are listed as unaffected. Refer to Adobe security bulletin APSB26-82 for full remediation guidance. This CVE was not accompanied by a CISA KEV entry in the supplied data, so active exploitation is not confirmed at this time.

Sources