HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47932Published Modified CNA adobe

CVE-2026-47932: ColdFusion | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)

ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path traversal vulnerability in Adobe ColdFusion (versions 2025.8 and earlier, including 2023.19 and earlier) allows an attacker on the same network segment to bypass directory restrictions and access files or directories outside the intended scope. Exploitation requires a victim to open a malicious file, and a successful attack gives the attacker read, write, and denial-of-service capability across affected resources with scope change into dependent components. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-47932 is available across every HarborGuard environment; the CVE is ingested from upstream feeds (including the Adobe PSIRT advisory and NVD) within minutes of publication and matched against all customer images, including internally built images that bundle ColdFusion runtimes. Any image carrying an affected ColdFusion version (2025.8 or earlier) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 score of 8.8 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within the customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix versions have been published by Adobe, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers with auto-remediation enabled can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation for ColdFusion workloads and egress filtering on affected containers.

Pending upstream

Exploit Conditions

  • Network reachabilityDetail

    The attacker must be on an adjacent network (LAN, VPN, or equivalent broadcast domain) to reach the vulnerable ColdFusion service; remote internet-based exploitation without network adjacency is not possible.

  • AuthenticationNot required

    No credentials or account of any privilege level are needed to stage the attack against the affected ColdFusion instance.

  • Victim interactionRequired

    A victim must open a malicious file delivered by the attacker, meaning a social-engineering step is required to complete exploitation.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other hard-to-control environmental factors.

Blast Radius

  • Reads arbitrary files and directories on the ColdFusion host that fall outside the intended restricted path, including configuration files, credentials, and application source code.
  • Writes or overwrites files outside the restricted directory, enabling persistent modification of application logic or server configuration.
  • Crashes or disrupts the ColdFusion service through destructive file manipulation, causing service outages for dependent applications.
  • Because scope is changed, impact extends beyond the ColdFusion process itself into dependent components or containers sharing the filesystem or runtime environment.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-47932 is active across all connected environments, flagging any image that includes ColdFusion 2025.8 or earlier. Since Adobe has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically when an upstream fix is released. For customers who opt into auto-remediation, that rebuild will be paired with a regression-test run and a PR opened against affected workloads. While no patch is available, HarborGuard's policy engine can assist with compensating controls: network-policy isolation to restrict adjacency to ColdFusion workloads, egress filtering on affected containers, and compliance-policy rules that block promotion of affected images to production until a fix is confirmed. Where compliance policy permits, customers can also configure alert escalation for any HIGH-severity unpatched findings to ensure the issue remains visible to the appropriate team until Adobe ships a resolution.

See how HarborGuard automates this
Affected packages
  • Adobe / ColdFusion
    ≤ 2025.8
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References