How is CVE-2026-48277 exploited?

Network reachability (required): The attacker must reach the ColdFusion service over the network; no local or physical access is assumed by the CVSS vector (AV:N). Authentication (not-required): No credentials or session token are needed to trigger the vulnerability (PR:N); any unauthenticated request to the exposed service is sufficient. Victim interaction (not-required): The exploit fires without any action from a logged-in user or administrator (UI:N); the attacker operates entirely independently. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory-layout knowledge, or environmental prerequisites are required (AC:L).

What is the impact of CVE-2026-48277?

Executes arbitrary code in the context of the ColdFusion server process, giving the attacker full control over that process and its accessible resources. Reads any data the ColdFusion process can access, including database credentials, session tokens, API keys, and application configuration files. Writes or modifies files, application state, and persisted data reachable by the server process. Because scope is changed (S:C), impact can extend to other components or services that trust or share resources with the ColdFusion instance, such as back-end databases or adjacent internal services.

Back to search

CRITICALCVE-2026-48277Published 2026-06-30Modified 2026-06-30CNA adobe

CVE-2026-48277: ColdFusion | Improper Input Validation (CWE-20)

ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper input validation vulnerability in Adobe ColdFusion (versions 2023.20 and earlier, and 2025.9 and earlier) allows a remote, unauthenticated attacker to reach the affected service over the network with no special privileges required. Successful exploitation results in arbitrary code execution in the context of the running ColdFusion process, with a changed scope meaning impact can extend beyond the vulnerable component itself. No fix has been published by Adobe; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images incorporating affected ColdFusion versions. Any image in a connected registry or CI/CD pipeline that packages ColdFusion 2023.20 or earlier is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 10.0 (Critical) and surfaces it at the highest triage priority; per-environment compliance policy weighting is applied so alerts route to the appropriate team inbox within each customer organization. Because no patch is yet available, the finding is marked for active monitoring rather than immediate remediation closure.

Available

Patch

Because no fix version has been published by Adobe, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the ColdFusion service over the network; no local or physical access is assumed by the CVSS vector (AV:N).
AuthenticationNot required
No credentials or session token are needed to trigger the vulnerability (PR:N); any unauthenticated request to the exposed service is sufficient.
Victim interactionNot required
The exploit fires without any action from a logged-in user or administrator (UI:N); the attacker operates entirely independently.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory-layout knowledge, or environmental prerequisites are required (AC:L).

Blast Radius

Executes arbitrary code in the context of the ColdFusion server process, giving the attacker full control over that process and its accessible resources.
Reads any data the ColdFusion process can access, including database credentials, session tokens, API keys, and application configuration files.
Writes or modifies files, application state, and persisted data reachable by the server process.
Because scope is changed (S:C), impact can extend to other components or services that trust or share resources with the ColdFusion instance, such as back-end databases or adjacent internal services.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-48277 as of publication, the recommended actions are monitoring and compensating controls rather than a patched rebuild. HarborGuard re-checks the Adobe advisory on every ingest cycle and will automatically trigger a rebuild and PR flow for customers with auto-remediation enabled the moment Adobe publishes a fix. In the interim, customers can use HarborGuard network-policy suggestions to isolate ColdFusion workloads behind strict ingress rules, limiting inbound access to known trusted sources only. Egress filtering recommendations are also surfaced to reduce the blast radius if the service is compromised. Where compliance policy permits, teams can gate or disable externally exposed ColdFusion endpoints via feature-flag or deployment configuration until a patched version is available.

See how HarborGuard automates this

Affected packages

Adobe / ColdFusion
≤ 2023.20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified