Adobe has disclosed a critical incorrect-authorization vulnerability in ColdFusion that lets an unauthenticated attacker on an adjacent network escalate privileges and gain unauthorized read and write access without any user interaction.
What Is It
CVE-2026-48321 is an Incorrect Authorization vulnerability (CWE-863) in Adobe ColdFusion that can result in privilege escalation. An attacker could leverage the flaw to gain unauthorized read and write access. Exploitation does not require user interaction, and the vulnerability's scope is changed; meaning the impact can extend beyond the vulnerable component. It carries a CVSS 3.1 base score of 9.3 (CRITICAL), with the vector AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N.
Why It Matters
The combination of no required privileges, no user interaction, and a changed scope makes this an attractive target. An attacker who reaches an adjacent network can achieve both confidentiality and integrity impact rated HIGH, reading and writing data they should not be able to touch. ColdFusion is a long-standing target for attackers, and authorization bypasses that grant read/write access are frequently chained into deeper compromise. No public evidence of active exploitation was supplied with this record.
What's Vulnerable
The following Adobe ColdFusion releases are affected:
- ColdFusion 2025: versions up to and including update 10 are affected; update 11 is unaffected.
- ColdFusion 2023: versions up to and including update 21 are affected; update 22 is unaffected.
The vulnerability is remotely reachable over an adjacent network (AV:A) with low attack complexity.
Patch Status
Adobe has published fixed releases. Administrators should upgrade to ColdFusion 2025 update 11 or ColdFusion 2023 update 22, which are listed as unaffected. Refer to Adobe security bulletin APSB26-82 for full remediation guidance. This CVE was not accompanied by a CISA KEV entry in the supplied data, so active exploitation is not confirmed at this time.
Sources
- Adobe Security Bulletin APSB26-82; https://helpx.adobe.com/security/products/coldfusion/apsb26-82.html
- NVD, CVE-2026-48321, https://nvd.nist.gov/vuln/detail/CVE-2026-48321