How is CVE-2026-47937 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network-facing exposure is required. Authentication (required): An admin or otherwise privileged account is needed to place or manipulate the search path entry exploited by this vulnerability. Victim interaction (required): A victim must open a malicious file, making this dependent on a social-engineering step to deliver and trigger the payload. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout conditions.

What is the impact of CVE-2026-47937?

Executes arbitrary code in the context of the user running Acrobat Reader, inheriting that user's file-system and process permissions. Reads files and data accessible to the current user, including documents, cached credentials, and browser profile data on the host. Modifies or overwrites files accessible to the current user, enabling persistence mechanisms or tampering with local application state. Because scope is changed, the exploit can affect resources and processes outside the Acrobat Reader security boundary on the same host.

Back to search

HIGHCVE-2026-47937Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-47937: Acrobat Reader | Uncontrolled Search Path Element (CWE-427)

Acrobat Reader versions 24.001.30365, 26.001.21651 and earlier are affected by an Uncontrolled Search Path Element vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An Uncontrolled Search Path Element vulnerability affects Adobe Acrobat Reader versions 26.001.21651 and earlier (including 24.001.30365 and earlier in the 24.x line). The attack requires local access to the host, admin-level privileges, and a victim to open a malicious file; the CVSS vector reflects a scope change, meaning the impact can extend beyond the Acrobat Reader process itself. Successful exploitation enables arbitrary code execution in the context of the current user, with high confidentiality and integrity impact. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild as soon as Adobe releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-47937 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Acrobat Reader or its libraries. Any image found to carry an affected version is flagged immediately in the registry and pipeline scan results.

Available

Triage

HarborGuard scores this finding at CVSS 7.4 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy to produce an adjusted priority. Triage routing is available to direct the alert to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Adobe ships a fix. Customers with auto-remediation enabled will receive the rebuilt image, a regression-test run, and a PR opened against affected workloads without any manual step required.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network-facing exposure is required.
AuthenticationRequired
An admin or otherwise privileged account is needed to place or manipulate the search path entry exploited by this vulnerability.
Victim interactionRequired
A victim must open a malicious file, making this dependent on a social-engineering step to deliver and trigger the payload.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions or specific memory layout conditions.

Blast Radius

Executes arbitrary code in the context of the user running Acrobat Reader, inheriting that user's file-system and process permissions.
Reads files and data accessible to the current user, including documents, cached credentials, and browser profile data on the host.
Modifies or overwrites files accessible to the current user, enabling persistence mechanisms or tampering with local application state.
Because scope is changed, the exploit can affect resources and processes outside the Acrobat Reader security boundary on the same host.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously against all images in connected registries and CI pipelines. Because Adobe has not yet published a fix, the recommended immediate action is to apply compensating controls where possible, including restricting the directories included in the DLL or library search path via system policy, enforcing application allowlisting to prevent unauthorized loader hijacking, and isolating hosts running Acrobat Reader behind network policy rules that limit lateral movement if code execution occurs. HarborGuard will re-evaluate the advisory on every ingest cycle; for customers with auto-remediation enabled, a patched-image rebuild, regression run, and PR against affected workloads will be initiated automatically once Adobe publishes a fixed version, with no manual intervention required. Customers without auto-remediation will receive a scan-result update and alert as soon as the fix version is indexed.

See how HarborGuard automates this

Affected packages

Adobe / Acrobat Reader
≤ 26.001.21651

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

References

helpx.adobe.com

Metrics

Get notified