How is CVE-2026-34706 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger the vulnerability. Authentication (not-required): No account or credential is needed to deliver the malicious file; the attacker does not need to authenticate to the affected system. Victim interaction (required): A victim must be social-engineered into opening a malicious InCopy file, making user interaction a required step for exploitation. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-34706?

Executes arbitrary code in the context of the logged-in user, giving the attacker full control over any process or file that user can access. Reads files, credentials, and session data accessible to the current user account. Modifies or deletes files and application data within the current user's permissions. Crashes or destabilizes the InCopy application process, disrupting the user's workflow.

Back to search

HIGHCVE-2026-34706Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34706: InCopy | Out-of-bounds Write (CWE-787)

InCopy versions 21.3, 20.5.3 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CVSS v3.1: 7.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Out-of-bounds write vulnerability in Adobe InCopy (versions 21.3, 20.5.3 and earlier) allows an attacker to write data beyond the bounds of an allocated memory buffer. The vulnerability is reached locally and requires no authentication, but does require a victim to open a specially crafted malicious file. Successful exploitation gives the attacker arbitrary code execution running as the current user. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-34706 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication against upstream advisory feeds. Coverage extends to custom-built images that bundle InCopy or derived components alongside standard registry images.

Available

Triage

Triage is available using the CVSS v3.1 base score of 7.8 (HIGH), weighted against each customer organization's compliance policy to determine urgency and escalation path. Findings are routable to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

No fix version has been published by Adobe for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once the patch is available.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required to trigger the vulnerability.
AuthenticationNot required
No account or credential is needed to deliver the malicious file; the attacker does not need to authenticate to the affected system.
Victim interactionRequired
A victim must be social-engineered into opening a malicious InCopy file, making user interaction a required step for exploitation.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Executes arbitrary code in the context of the logged-in user, giving the attacker full control over any process or file that user can access.
Reads files, credentials, and session data accessible to the current user account.
Modifies or deletes files and application data within the current user's permissions.
Crashes or destabilizes the InCopy application process, disrupting the user's workflow.

How HarborGuard Handles This

Available on HarborGuard: because Adobe has not yet published a fix for CVE-2026-34706, the platform monitors the upstream advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically at that point. In the interim, compensating controls available within HarborGuard include network-policy isolation to limit lateral movement from a compromised host, egress filtering rules to constrain outbound connections from affected workloads, and policy-gate enforcement to flag or block images that include InCopy components at or below version 20.5.3. Teams can also use HarborGuard's feature-flag gating to prevent promotion of affected images to production environments until the upstream patch is confirmed.

See how HarborGuard automates this

Affected packages

Adobe / InCopy
≤ 20.5.3

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified