CVE-2026-48321

Adobe · ColdFusion

An incorrect authorization vulnerability in Adobe ColdFusion allows an unauthenticated attacker to achieve privilege escalation and gain unauthorized read and write access.

Executive summary

An incorrect authorization vulnerability in Adobe ColdFusion allows unauthenticated attackers to gain unauthorized read and write access to the platform.

Vulnerability

This is an incorrect authorization flaw that permits an unauthenticated attacker to bypass security controls, leading to privilege escalation and unauthorized data access.

Business impact

The CVSS score of 9.3 highlights a critical impact on the confidentiality and integrity of applications hosted on ColdFusion. Unauthorized read and write access can lead to the exposure of sensitive database information or the modification of application logic to facilitate further compromise.

Remediation

Immediate Action: Update Adobe ColdFusion 2025 to version 11 or later, and ColdFusion 2023 to version 22 or later.

Proactive Monitoring: Audit application logs for unauthorized access attempts or unusual write operations to sensitive directories within the ColdFusion environment.

Compensating Controls: Restrict network access to the ColdFusion management interface and ensure the server is isolated behind a strict firewall policy.

Exploitation status

Public Exploit Available: No (exploit_available: false)

Analyst recommendation

Administrators must prioritize updating ColdFusion installations to the specified fixed versions. Given the ease of access to the underlying data, delayed remediation could result in significant data breaches.