How is CVE-2026-48303 exploited?

Network reachability (required): The attacker must reach the ACC service over the network; no local or physical access is needed, making any internet- or intranet-exposed ACC instance a viable target. Authentication (not-required): No credentials of any privilege level are required; the authorization bypass can be triggered by an anonymous request. Victim interaction (not-required): The exploit completes without any action from a logged-in user or administrator. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions, memory-layout dependencies, or other environmental factors standing between the attacker and successful exploitation.

What is the impact of CVE-2026-48303?

The attacker executes arbitrary code in the context of the ACC service user, gaining a foothold on the host running the application. All data stored or accessible by ACC, including campaign records, contact lists, and stored credentials, is readable by the attacker. The attacker can modify or delete campaign configurations, scheduled jobs, delivery templates, and persisted database rows reachable by the ACC service account. The attacker can crash or render the ACC service unavailable, disrupting marketing delivery pipelines and dependent downstream integrations.

Back to search

CRITICALCVE-2026-48303Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-48303: Adobe Campaign Classic (ACC) | Incorrect Authorization (CWE-863)

Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An incorrect authorization vulnerability in Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier allows a remote, unauthenticated attacker to bypass access controls entirely. The vulnerability is reachable over the network with no credentials or user interaction required, and its scope extends beyond the directly affected component. Successful exploitation results in arbitrary code execution in the context of the current user, giving the attacker full read, write, and availability impact across affected systems. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-48303 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of feed ingestion, including custom-built images that bundle ACC or its dependencies.

Available

Triage

HarborGuard scores this finding at CVSS 10.0 (Critical) and is capable of weighting it against each customer's per-environment compliance policy to route the alert to the appropriate team inbox automatically.

Available

Patch

No fix version has been published by Adobe for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the ACC service over the network; no local or physical access is needed, making any internet- or intranet-exposed ACC instance a viable target.
AuthenticationNot required
No credentials of any privilege level are required; the authorization bypass can be triggered by an anonymous request.
Victim interactionNot required
The exploit completes without any action from a logged-in user or administrator.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions, memory-layout dependencies, or other environmental factors standing between the attacker and successful exploitation.

Blast Radius

The attacker executes arbitrary code in the context of the ACC service user, gaining a foothold on the host running the application.
All data stored or accessible by ACC, including campaign records, contact lists, and stored credentials, is readable by the attacker.
The attacker can modify or delete campaign configurations, scheduled jobs, delivery templates, and persisted database rows reachable by the ACC service account.
The attacker can crash or render the ACC service unavailable, disrupting marketing delivery pipelines and dependent downstream integrations.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-48303, automated rebuild is not yet available, but HarborGuard re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression run and PR against affected workloads the moment Adobe releases a fix. In the interim, HarborGuard surfaces this finding at Critical severity in every affected environment so teams can apply compensating controls immediately. Recommended compensating controls include network-policy isolation to restrict inbound access to ACC to known IP ranges only, egress filtering to limit the blast radius of a compromised ACC process, and disabling non-essential ACC features or endpoints via feature-flag configuration until a vendor patch is available.

See how HarborGuard automates this

Affected packages

Adobe / Adobe Campaign Classic (ACC)
≤ 7.4.3 build 9394

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

helpx.adobe.com

Metrics

Get notified