CVE-2026-48321
Adobe · ColdFusion
An incorrect authorization vulnerability in Adobe ColdFusion allows an unauthenticated attacker to achieve privilege escalation and gain unauthorized read and write access.
Executive summary
An incorrect authorization vulnerability in Adobe ColdFusion allows unauthenticated attackers to gain unauthorized read and write access to the platform.
Vulnerability
This is an incorrect authorization flaw that permits an unauthenticated attacker to bypass security controls, leading to privilege escalation and unauthorized data access.
Business impact
The CVSS score of 9.3 highlights a critical impact on the confidentiality and integrity of applications hosted on ColdFusion. Unauthorized read and write access can lead to the exposure of sensitive database information or the modification of application logic to facilitate further compromise.
Remediation
Immediate Action: Update Adobe ColdFusion 2025 to version 11 or later, and ColdFusion 2023 to version 22 or later.
Proactive Monitoring: Audit application logs for unauthorized access attempts or unusual write operations to sensitive directories within the ColdFusion environment.
Compensating Controls: Restrict network access to the ColdFusion management interface and ensure the server is isolated behind a strict firewall policy.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
Administrators must prioritize updating ColdFusion installations to the specified fixed versions. Given the ease of access to the underlying data, delayed remediation could result in significant data breaches.