How is CVE-2026-47907 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability. Authentication (not-required): No account or credentials are required; the attacker needs only the ability to deliver a malicious file to the victim. Victim interaction (required): A victim must actively open a malicious file, making social engineering or a crafted file delivery a prerequisite for exploitation. Attack complexity (info): Exploit conditions are straightforward and reliable once the malicious file is opened, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-47907?

Attacker reads arbitrary files and directories on the host file system outside the scope Dreamweaver is intended to access. Sensitive local data such as stored credentials, configuration files, SSH keys, and application secrets becomes readable to the attacker. Because scope is changed, files belonging to other applications or the operating system outside the Dreamweaver sandbox are reachable.

Back to search

HIGHCVE-2026-47907Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47907: Dreamweaver Desktop | Improper Access Control (CWE-284)

Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Access Control vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper access control vulnerability affects Adobe Dreamweaver Desktop versions 21.7 and earlier. The flaw is exploited locally and requires no authentication, but a victim must open a malicious file for the attack to succeed. Successful exploitation allows an attacker to read arbitrary files and directories outside the intended access scope, disclosing sensitive data from the host file system. No fix has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected versions of Dreamweaver Desktop. Any image containing an affected version (21.7 or earlier) is flagged automatically.

Available

Triage

HarborGuard scores this issue at CVSS 8.2 HIGH using the published v3.1 vector, and per-environment compliance policy weighting can escalate or suppress routing based on each org's risk posture. Triage findings are routed to the inbox configured for each customer team, so the right engineers see it without manual filtering.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Adobe publishes a fix. In the interim, customers can apply compensating controls through HarborGuard's policy engine to flag or block deployment of images containing affected versions.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network exposure is required to trigger the vulnerability.
AuthenticationNot required
No account or credentials are required; the attacker needs only the ability to deliver a malicious file to the victim.
Victim interactionRequired
A victim must actively open a malicious file, making social engineering or a crafted file delivery a prerequisite for exploitation.
Attack complexityDetail
Exploit conditions are straightforward and reliable once the malicious file is opened, with no race conditions or special environmental factors required.

Blast Radius

Attacker reads arbitrary files and directories on the host file system outside the scope Dreamweaver is intended to access.
Sensitive local data such as stored credentials, configuration files, SSH keys, and application secrets becomes readable to the attacker.
Because scope is changed, files belonging to other applications or the operating system outside the Dreamweaver sandbox are reachable.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47907 is active across all scanning pipelines, matching images that include Adobe Dreamweaver Desktop 21.7 or earlier. Because Adobe has not yet published a fix version, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will generate a patched rebuild automatically once Adobe ships a fix; for environments with auto-remediation enabled, that rebuild will trigger a regression run and a PR opened against affected workloads with no manual intervention needed. While no patch exists, compensating controls worth considering include blocking deployment of images containing affected Dreamweaver versions via HarborGuard admission policies, applying network-level egress filtering on hosts running the software to limit post-exploitation reach, and auditing which images in your registry bundle Dreamweaver Desktop as a dependency.

See how HarborGuard automates this

Affected packages

Adobe / Dreamweaver Desktop
≤ 21.7

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References

helpx.adobe.com

Metrics

Get notified