How is CVE-2026-34702 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability. Authentication (not-required): No credentials or account privileges are needed; the attacker simply supplies a malicious file for the victim to open. Victim interaction (required): The victim must be socially engineered into opening a crafted InDesign file, making phishing or malicious document delivery the primary attack vector. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental dependencies beyond the victim opening the file.

What is the impact of CVE-2026-34702?

Attacker executes arbitrary code with the same privileges as the logged-in user, gaining direct control over the affected workstation or container process. Confidential files accessible to the current user, including documents, credentials, and session tokens stored on disk, are readable by the attacker. The attacker can create, modify, or delete any files the current user owns, including persisted application data and configuration files. The affected process can be crashed or manipulated, disrupting the user's work environment and any dependent automated publishing pipelines.

Back to search

HIGHCVE-2026-34702Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34702: InDesign Desktop | Stack-based Buffer Overflow (CWE-121)

InDesign Desktop versions 21.3, 20.5.3 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Stack-based buffer overflow in Adobe InDesign Desktop (versions 21.3, 20.5.3 and earlier) allows an attacker to execute arbitrary code in the context of the logged-in user. The vulnerability is reached locally and requires no authentication, but the victim must open a specially crafted malicious file. Successful exploitation gives the attacker full code execution under the victim's account, enabling data theft, file modification, or further system compromise. No fix version has been published yet; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle InDesign Desktop components.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.8 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available

Patch

Because no fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability.
AuthenticationNot required
No credentials or account privileges are needed; the attacker simply supplies a malicious file for the victim to open.
Victim interactionRequired
The victim must be socially engineered into opening a crafted InDesign file, making phishing or malicious document delivery the primary attack vector.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental dependencies beyond the victim opening the file.

Blast Radius

Attacker executes arbitrary code with the same privileges as the logged-in user, gaining direct control over the affected workstation or container process.
Confidential files accessible to the current user, including documents, credentials, and session tokens stored on disk, are readable by the attacker.
The attacker can create, modify, or delete any files the current user owns, including persisted application data and configuration files.
The affected process can be crashed or manipulated, disrupting the user's work environment and any dependent automated publishing pipelines.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-34702 is active against all images in connected registries and pipelines, covering any image that bundles InDesign Desktop at an affected version (21.3 or 20.5.3 and earlier). Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-checks the advisory on every ingest cycle; the moment Adobe ships a remediated release, a patched-image rebuild will become available and, for customers with auto-remediation enabled, will trigger an automated rebuild, regression test run, and PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy isolation to limit the blast radius of any compromised process, restricting the ingestion of untrusted InDesign files through pipeline-level file-type gating, and applying least-privilege process sandboxing to any container running InDesign Desktop components.

See how HarborGuard automates this

Affected packages

Adobe / InDesign Desktop
≤ 20.5.3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified