How is CVE-2026-48286 exploited?

Network reachability (required): The attacker must reach the ACC service over the network; no prior foothold on the host is required. Authentication (not-required): No credentials of any privilege level are needed to trigger the vulnerability. Victim interaction (not-required): The exploit completes without any action from a logged-in user or administrator. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory-layout assumptions, or special environmental factors need to align.

What is the impact of CVE-2026-48286?

A successful attacker executes arbitrary code in the context of the ACC service process, gaining a direct execution foothold on the host. Full confidentiality loss means the attacker reads any data the service can access, including campaign recipient records, credentials stored in the application, and connected database contents. Full integrity loss means the attacker modifies or deletes campaign data, configuration, and any files the service account can write. Full availability loss means the attacker crashes or locks the ACC service, disrupting email delivery and campaign scheduling for the affected installation; the changed scope means adjacent systems sharing infrastructure can also be affected.

Back to search

CRITICALCVE-2026-48286Published 2026-06-30Modified 2026-06-30CNA adobe

CVE-2026-48286: Adobe Campaign Classic (ACC) | Incorrect Authorization (CWE-863)

Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An incorrect authorization vulnerability in Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier allows a remote, unauthenticated attacker to bypass access controls and execute arbitrary code in the context of the running service. The vulnerability is reachable over the network with no credentials and no victim interaction required, and the changed scope indicator means a successful attacker can affect resources beyond the immediate application boundary. Exploitation achieves full confidentiality, integrity, and availability impact, including arbitrary code execution. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-48286 is available across every HarborGuard environment - the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle ACC components.

Available

Triage

HarborGuard scores this finding at CVSS 10.0 (Critical) and is capable of weighting it against each environment's compliance policy to surface it at the appropriate severity tier; routing rules can direct the alert to the right team inbox within each customer organization automatically.

Available

Patch

Because no fix version has been published by Adobe, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the ACC service over the network; no prior foothold on the host is required.
AuthenticationNot required
No credentials of any privilege level are needed to trigger the vulnerability.
Victim interactionNot required
The exploit completes without any action from a logged-in user or administrator.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory-layout assumptions, or special environmental factors need to align.

Blast Radius

A successful attacker executes arbitrary code in the context of the ACC service process, gaining a direct execution foothold on the host.
Full confidentiality loss means the attacker reads any data the service can access, including campaign recipient records, credentials stored in the application, and connected database contents.
Full integrity loss means the attacker modifies or deletes campaign data, configuration, and any files the service account can write.
Full availability loss means the attacker crashes or locks the ACC service, disrupting email delivery and campaign scheduling for the affected installation; the changed scope means adjacent systems sharing infrastructure can also be affected.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-48286 is active across connected environments and will flag any image containing an affected ACC build (7.4.3 build 9396 or earlier) as Critical. Because Adobe has not yet published a remediated build, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is released upstream. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against affected workloads. While no patch is available, recommended compensating controls include isolating ACC nodes behind a strict network policy that limits inbound access to known, trusted source addresses; applying egress filtering to prevent outbound connections from compromised ACC processes; and auditing service-account permissions to reduce the blast radius of any code running in the ACC process context.

See how HarborGuard automates this

Affected packages

Adobe / Adobe Campaign Classic (ACC)
≤ 7.4.3 build 9396

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified