CVE-2026-47907: Adobe Dreamweaver Desktop Improper Access Control
Adobe Dreamweaver Desktop versions 21.7 and earlier contain a flaw that allows an attacker to run malicious code on a victim's computer. The vulnerability exists because Dreamweaver does not properly restrict access to certain functions. An attacker must trick a user into opening a specially crafted file—Dreamweaver itself will not automatically trigger the issue. Once exploited, the attacker gains the ability to execute code with the same permissions as the user running Dreamweaver, potentially compromising sensitive projects, credentials stored locally, or the broader system.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.6 HIGH · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-284
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-29
NVD description (verbatim)
Dreamweaver Desktop versions 21.7 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47907 is an improper access control vulnerability (CWE-284) affecting Adobe Dreamweaver Desktop through version 21.7 on Windows and macOS platforms. The vulnerability allows arbitrary code execution within the context of the current user by bypassing access controls that should restrict certain operations. The CVSS v3.1 score of 8.6 reflects high impact across confidentiality, integrity, and availability, with local attack vector, low attack complexity, no privilege requirement, and user interaction required. The scope change indicates that the impact extends beyond the vulnerable component itself, potentially affecting the underlying operating system or other applications running under the user's session.
Business impact
Organizations relying on Dreamweaver for web design and development work face exposure to supply chain and insider threat risks if developers open untrusted project files or collaborate on externally sourced design assets. Compromised machines could lead to injection of malicious code into web applications, theft of intellectual property, exposure of API keys or database credentials embedded in projects, and lateral movement into internal networks. For agencies or teams handling sensitive web properties, this vulnerability could undermine the integrity of production deployments and customer-facing systems.
Affected systems
Adobe Dreamweaver Desktop versions 21.7 and earlier are affected. The vulnerability impacts both Windows and macOS deployments. Users running version 21.8 and later are not affected by this specific flaw. Organizations should verify their exact Dreamweaver version across development teams to identify exposure. The vulnerability does not affect Dreamweaver cloud-based or web-hosted variants—only the desktop application.
Exploitability
Exploitation requires user interaction: a victim must open a malicious file in Dreamweaver for code execution to occur. This is a practical but not trivial barrier, as it relies on social engineering or phishing to deliver the weaponized file. The attack surface is moderate—any employee with Dreamweaver installed and access to email or file sharing is a potential target. Once a user opens the malicious file, no additional steps are required; code execution happens automatically. The vulnerability is not actively exploited in the wild according to current KEV data, but the high CVSS score and ease of exploitation once user interaction is achieved mean the threat level will likely increase after public disclosure or proof-of-concept release.
Remediation
Adobe has patched this vulnerability in Dreamweaver Desktop version 21.8 and later. Organizations should upgrade all Dreamweaver installations to version 21.8 or the latest available release as soon as possible. Interim mitigation includes restricting file opening from untrusted sources, disabling auto-opening of design files from email clients, and educating developers to be cautious when opening .psd, .xd, or project files from external collaborators. For teams unable to patch immediately, consider limiting Dreamweaver to isolated development machines without access to sensitive production systems.
Patch guidance
Upgrade Adobe Dreamweaver Desktop to version 21.8 or later. Adobe typically releases patches through the Creative Cloud desktop application or direct download from adobe.com. Verify your current version by launching Dreamweaver and checking Help > About Dreamweaver. Organizations with Creative Cloud enterprise licensing should coordinate patches through their IT deployment tool or Adobe's update service. Test patched versions in a non-production environment first to ensure compatibility with existing projects and extensions. Plan patching during scheduled maintenance windows to minimize disruption to design teams.
Detection guidance
Monitor Dreamweaver process execution for suspicious child processes (cmd.exe, powershell.exe, bash) spawned during file opening. Log file access patterns to identify when project files are opened from unusual locations (temp directories, downloads, network shares) or by unexpected users. Endpoint detection and response (EDR) tools should flag execution anomalies following Dreamweaver launch. Network monitoring can detect outbound connections from Dreamweaver processes to command-and-control infrastructure. Consider deploying file integrity monitoring on directories containing critical design assets to detect unauthorized modification. Review file server logs for access to Dreamweaver project files from compromised or suspicious user accounts.
Why prioritize this
This vulnerability merits immediate patching priority due to its high CVSS score (8.6), broad platform coverage (Windows and macOS), and the widespread use of Dreamweaver across design and development teams. The requirement for user interaction is offset by the ease of social engineering attacks targeting collaborative workflows. Unlike vulnerabilities requiring advanced exploitation or special privileges, this can be weaponized with minimal effort and executed by low-skill attackers. The scope change compounds risk by allowing compromise of the wider system beyond Dreamweaver itself. Organizations should prioritize patching creative teams within 14 days of patch availability.
Risk score, explained
The CVSS v3.1 score of 8.6 (HIGH severity) reflects multiple aggravating factors: unrestricted code execution in the user context (confidentiality, integrity, and availability all rated high), a local attack vector with low complexity, absence of privilege requirements, and a change in scope that extends impact to the underlying OS and other user-context processes. The score would be higher (9.0+) if no user interaction were required, but the practical social engineering risk keeps it in the high range. This is a legitimate 'critical-tier' vulnerability for organizations with large design or web development teams.
Frequently asked questions
Does this affect Dreamweaver Cloud or web-based versions?
No. This vulnerability affects only Adobe Dreamweaver Desktop (the locally installed application). Cloud-based design tools and web-hosted Dreamweaver services are not impacted by CVE-2026-47907.
What file types can be weaponized to exploit this vulnerability?
The advisory does not specify which file types trigger the vulnerability. Best practice is to treat all Dreamweaver-compatible files (projects, PSDs, XD files, HTML/CSS assets) as potentially dangerous if received from untrusted sources until patching is complete.
Can this vulnerability be exploited over the network or only locally?
The CVSS vector indicates a local attack vector (AV:L), meaning the attacker must have local file access or the ability to place a file on the victim's system (via email, file share, USB). It cannot be exploited remotely over the internet without user interaction to download and open a malicious file.
What should we do if we cannot patch immediately?
Until patching is possible, restrict Dreamweaver to isolated machines without access to production systems, disable file auto-opening in email clients, implement file sandboxing for externally received design files, and educate users not to open project files from unknown sources. Monitor for suspicious Dreamweaver behavior and consider using EDR tools to detect exploitation attempts.
This analysis is provided for informational purposes and reflects publicly disclosed vulnerability data as of the publication date. Organizations should verify patch availability and compatibility with their specific Dreamweaver configurations and extensions before deploying updates. Threat landscape and exploit availability may change; monitor official Adobe security advisories and threat intelligence feeds for updates. SEC.co does not provide legal, compliance, or vendor-specific support advice; consult Adobe directly or engage professional services for enterprise deployment guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-11179HIGHChrome ORB Site Isolation Bypass (CVSS 8.8)
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)
- CVE-2026-11026MEDIUMChrome Extension Navigation Bypass Vulnerability
- CVE-2026-11078MEDIUMChrome FileSystem Same-Origin Policy Bypass – MEDIUM Severity
- CVE-2026-11135MEDIUMChrome Autofill Bypass Allows Credential Misdirection
- CVE-2026-11187MEDIUMChrome Navigation Restriction Bypass Vulnerability
- CVE-2026-11190MEDIUMGoogle Chrome Extension Access Control Bypass (6.5 CVSS)
- CVE-2026-11193MEDIUMChrome Password Manager Access Control Bypass – CVSS 6.5