HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47929Published Modified CNA adobe

CVE-2026-47929: ColdFusion | Incorrect Authorization (CWE-863)

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.

Metrics

CVSS v3.1
8.4
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Incorrect Authorization vulnerability in Adobe ColdFusion (versions 2023.19, 2025.8, and earlier) allows a high-privileged attacker reachable over an adjacent network to bypass authorization checks and execute arbitrary code in the context of the current user. No user interaction is required, and successful exploitation changes scope, meaning the attacker can break out of their originally authorized context to affect other components. A successful attack grants full read, write, and availability impact on the target system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix version.

HarborGuard Coverage

Detection

Detection for CVE-2026-47929 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built ColdFusion images, in connected registries and CI/CD pipelines. Any image layer carrying an affected ColdFusion version (2025.8 or earlier) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.4 (HIGH) and weights it against each environment's compliance policy to determine routing priority. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules and severity thresholds.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Adobe advisory each ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once Adobe ships the patch.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on the same adjacent network segment (LAN, VPN, or similar) as the targeted ColdFusion instance; remote over-the-internet exploitation without that adjacency is not supported by this vector.

  • AuthenticationRequired

    A high-privileged account (admin-level credentials) is required to reach the vulnerable authorization path; low-privilege or unauthenticated access is not sufficient.

  • Victim interactionNot required

    The attacker can complete the exploit entirely without any action from another user or operator.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions, memory-layout dependencies, or other environmental factors need to be satisfied beyond holding a high-privileged account.

Blast Radius

  • Reads confidential data stored or accessible in the ColdFusion application context, including session tokens, configuration secrets, and application data.
  • Modifies or deletes application data and server-side files within the scope of the running process.
  • Crashes or degrades the ColdFusion service, causing availability loss for dependent applications.
  • Because scope is changed, the attacker can pivot from the ColdFusion process to affect other system components or co-hosted services beyond the originally compromised application.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-47929 is actively tracked against all customer images carrying affected ColdFusion versions (2025.8 and earlier). Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-checks the Adobe advisory on every ingest cycle and will trigger a rebuild automatically when a fix version is released; for customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While awaiting the upstream patch, recommended compensating controls include applying network policy rules that restrict adjacency-level access to ColdFusion admin interfaces, enforcing egress filtering on ColdFusion hosts to limit lateral movement in the event of exploitation, and auditing high-privileged account assignments to reduce the attacker surface covered by PR:H. Teams with strict compliance policies should flag affected images for manual review using HarborGuard's policy-gating controls until a patched base image becomes available.

See how HarborGuard automates this
Affected packages
  • Adobe / ColdFusion
    ≤ 2025.8
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References