CVE-2026-47910: Dreamweaver Desktop File Read Vulnerability – Patch Guidance
Dreamweaver Desktop versions 21.7 and earlier contain an authorization flaw that allows attackers to read files from your computer that they shouldn't have access to. The attacker must trick you into opening a malicious file, but once you do, they can potentially access sensitive documents and system files. This is a local attack that doesn't require special permissions to execute.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-863
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47910 is an Incorrect Authorization vulnerability (CWE-863) in Dreamweaver Desktop affecting versions 21.7 and earlier on Windows and macOS. The vulnerability permits arbitrary file system read operations beyond the intended scope when a victim opens a specially crafted malicious file. The attack vector is local with low complexity; no special privileges are required. User interaction is mandatory—the victim must explicitly open the malicious file. The scope changes from the application's intended boundaries, elevating the confidentiality impact to high while integrity and availability remain unaffected. CVSS 3.1 base score is 6.3 (Medium).
Business impact
A successful exploitation chain could expose proprietary source code, intellectual property, database credentials stored in configuration files, or personally identifiable information (PII) residing on affected workstations. For development teams, this creates a supply-chain risk if developers' machines are compromised via phishing or file-sharing attacks. The mandatory user interaction requirement provides a control point, but sophisticated social engineering targeting designers and developers could make such attacks practical at scale.
Affected systems
Adobe Dreamweaver Desktop version 21.7 and all earlier versions are vulnerable on both Windows and macOS platforms. The attack surface is any user with Dreamweaver installed who opens untrusted files. Web designers, front-end developers, and content creators using these versions are at direct risk.
Exploitability
Exploitation is feasible but requires user interaction—the victim must open a malicious file crafted by the attacker. No privilege escalation or complex authentication bypass is needed. The low attack complexity suggests the malicious file itself is not difficult to construct. However, the attack remains limited to local file access on the victim's system; remote exploitation is not possible.
Remediation
Update Dreamweaver Desktop to a version later than 21.7. Verify the specific patched version in Adobe's official security advisory before deployment. Until patching is complete, users should avoid opening Dreamweaver project files or documents from untrusted sources and consider restricting file-opening permissions where organizational policy permits.
Patch guidance
Contact Adobe for confirmed patch availability and version numbers addressing CVE-2026-47910. Implement patching across your development environment in phases, starting with systems handling sensitive or proprietary data. Test the patched version in a non-production environment first to ensure compatibility with existing workflows and plugins. Track patch deployment to confirm no legacy versions remain in active use.
Detection guidance
Monitor file access patterns on systems running Dreamweaver, particularly for unusual reads of sensitive file paths (e.g., credential stores, configuration directories outside the Dreamweaver installation folder). Endpoint Detection and Response (EDR) solutions should flag suspicious file enumeration or access to protected directories initiated by Dreamweaver processes. Audit logs for file-open operations in Dreamweaver can help identify when malicious files were processed.
Why prioritize this
Although the CVSS score is Medium (6.3), this vulnerability warrants prioritization because it targets development and creative teams whose machines often store high-value intellectual property and credentials. The scope change to other system components elevates real-world risk. User interaction is the limiting factor, but is not a strong control in environments where file sharing and collaboration are routine. Organizations with robust developer security posture should address this promptly.
Risk score, explained
The CVSS 3.1 score of 6.3 (Medium) reflects high confidentiality impact, low attack complexity, and local attack vector, tempered by the requirement for user interaction. The scope change increases impact beyond the vulnerable component itself. However, the lack of integrity or availability impact and the need for deliberate file opening by the victim prevent a higher severity rating. In context-specific risk assessments, organizations handling sensitive R&D or customer data may justifiably elevate this internally.
Frequently asked questions
Can an attacker read files remotely via this vulnerability?
No. CVE-2026-47910 is a local attack only. The attacker must first convince a user to open a malicious file on the target machine. Remote exploitation without user interaction is not possible.
Does this vulnerability allow code execution or system compromise?
This vulnerability permits file read access only. It does not enable code execution, privilege escalation, or modifications to system files. An attacker gains visibility into sensitive data but cannot alter or execute code.
Are versions after 21.7 automatically safe?
Versions released after 21.7 are expected to address this flaw, but always verify the specific patched version in Adobe's official security advisory. Apply updates from trusted sources only.
How can we reduce risk if we cannot patch immediately?
Educate users not to open Dreamweaver files from untrusted sources. If possible, restrict or monitor file-open operations on systems handling sensitive data. Consider isolating high-risk machines or limiting their network connectivity until patching is complete.
This analysis is for informational purposes and represents best-practice interpretation of published vulnerability data as of the date issued. Organizations must verify patch availability and compatibility against vendor advisories before deployment. SEC.co does not guarantee the accuracy of vendor-supplied information or the completeness of remediation guidance. Always test patches in non-production environments and consult your organization's security and compliance teams before making changes to production systems. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34657MEDIUMPath Traversal in CAI Content Credentials c2pa-web—MEDIUM Severity
- CVE-2026-34694MEDIUMAdobe Experience Manager Forms JEE Stored XSS Vulnerability – Patch Guide
- CVE-2026-34703MEDIUMAdobe InDesign Null Pointer Denial-of-Service Vulnerability
- CVE-2026-34704MEDIUMInDesign NULL Pointer Dereference DoS Vulnerability
- CVE-2026-34705MEDIUMAdobe InDesign Out-of-Bounds Memory Read Vulnerability
- CVE-2026-47909MEDIUMDreamweaver Arbitrary File Read via Input Validation Flaw
- CVE-2026-47923MEDIUMAdobe Acrobat Reader Out-of-Bounds Memory Read – Information Disclosure Risk
- CVE-2026-47924MEDIUMAdobe Acrobat Reader Use-After-Free Memory Disclosure Vulnerability