How is CVE-2026-47931 exploited?

Network reachability (info): The attacker must be on an adjacent network (LAN, VPN, or equivalent broadcast domain) to reach the vulnerable ColdFusion service; remote internet access alone is not sufficient. Authentication (required): An administrator-level account is needed to trigger the vulnerability, so the attacker must first obtain or compromise privileged credentials. Victim interaction (not-required): No user action is needed; the attacker can complete the exploit entirely without involving another person. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-47931?

Executes arbitrary code on the ColdFusion host in the context of the current user, giving the attacker direct process-level control. Reads any data accessible to the running ColdFusion process, including application configuration files, data source credentials, and session tokens. Modifies or deletes files, application data, and configuration accessible to the process, potentially corrupting application state. Because scope is changed, impact can extend beyond the ColdFusion component itself to other resources and services on the same host or internal network.

Back to search

HIGHCVE-2026-47931Published 2026-06-09Modified 2026-06-11CNA adobe

CVE-2026-47931: ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

CVSS v3.1: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Improper input validation in Adobe ColdFusion (versions 2025.8 and earlier, including 2023.19 and earlier) allows a network-adjacent attacker with administrative credentials to execute arbitrary code on the host in the context of the current user. The vulnerability requires no victim interaction and carries a changed scope, meaning a successful exploit can break out of the directly affected component and impact other system resources. No fix versions have been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as Adobe releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built ColdFusion images. Any image carrying an affected version of ColdFusion (2025.8 or earlier) is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.4 HIGH and weighting it against each customer organization's compliance policy to determine urgency and routing. The finding can be directed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available the moment upstream ships a remediated release. In the interim, the advisory status and any Adobe guidance are surfaced continuously in the finding detail so teams can act on compensating controls without delay.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be on an adjacent network (LAN, VPN, or equivalent broadcast domain) to reach the vulnerable ColdFusion service; remote internet access alone is not sufficient.
AuthenticationRequired
An administrator-level account is needed to trigger the vulnerability, so the attacker must first obtain or compromise privileged credentials.
Victim interactionNot required
No user action is needed; the attacker can complete the exploit entirely without involving another person.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

Executes arbitrary code on the ColdFusion host in the context of the current user, giving the attacker direct process-level control.
Reads any data accessible to the running ColdFusion process, including application configuration files, data source credentials, and session tokens.
Modifies or deletes files, application data, and configuration accessible to the process, potentially corrupting application state.
Because scope is changed, impact can extend beyond the ColdFusion component itself to other resources and services on the same host or internal network.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all customer environments scanning ColdFusion images, with findings scored at CVSS 8.4 HIGH and routed according to each organization's compliance policy. Because Adobe has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the upstream advisory on every ingest cycle and will make a rebuilt image available automatically the moment a patched version is released; for customers with auto-remediation enabled, that triggers a regression test run and a PR opened against affected workloads without manual intervention. While no patch exists, recommended compensating controls include applying strict network-policy isolation to restrict ColdFusion admin interface access to trusted adjacent hosts only, enforcing egress filtering to limit outbound connections from the ColdFusion process, and auditing administrative account access to reduce the pool of credentials that could be leveraged for exploitation.

See how HarborGuard automates this

Affected packages

Adobe / ColdFusion
≤ 2025.8

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified