CVE-2026-47929: ColdFusion Authorization Bypass Leads to Code Execution
ColdFusion versions 2023.19, 2025.8 and earlier contain an authorization flaw that allows high-privileged attackers to execute arbitrary code within the context of the current user without requiring any user interaction. The vulnerability crosses trust boundaries, meaning an attacker with elevated permissions could escalate access or take control of affected accounts and sessions. This is a serious issue for organizations running vulnerable versions of ColdFusion.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.4 HIGH · CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-863
- Affected products
- 29 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47929 is an Incorrect Authorization vulnerability (CWE-863) in Adobe ColdFusion that permits arbitrary code execution in the authenticated user's context. The attack vector requires adjacent network access and high privileges, but no user interaction is necessary for exploitation. The vulnerability's scope change indicates it can affect resources beyond the vulnerable component itself, making lateral movement and privilege escalation plausible. The high CVSS 3.1 score of 8.4 reflects the combination of high impact across confidentiality, integrity, and availability with relatively low attack complexity.
Business impact
Organizations using affected ColdFusion versions face significant operational risk. A high-privileged attacker exploiting this flaw could gain unauthorized control over user accounts, sessions, or sensitive data processed by ColdFusion applications. This could lead to data breaches, unauthorized modifications to business-critical processes, service disruption, or compliance violations. The scope change means the blast radius extends beyond isolated ColdFusion instances—lateral movement into connected systems becomes feasible for a skilled attacker.
Affected systems
Adobe ColdFusion versions 2023.19, 2025.8 and all earlier versions are vulnerable. Organizations must verify their exact ColdFusion deployment version and check Adobe's official advisory for the complete list of affected releases and any exceptions. Environments with network-accessible ColdFusion instances or those hosting multi-tenant applications are at heightened risk.
Exploitability
Exploitation requires adjacent network access and high-level privileges within the organization—this is not a zero-privilege or remote-from-the-internet attack. However, the requirement for user interaction is absent, meaning once an attacker with elevated credentials is positioned on the network, they can trigger the flaw immediately without social engineering or additional user cooperation. This substantially increases the practical risk in environments where privileged accounts may be compromised through lateral movement or credential theft.
Remediation
Patch affected ColdFusion instances to a patched version released by Adobe addressing CVE-2026-47929. Verify the exact patch version against Adobe's official security advisory. In environments where immediate patching is not feasible, implement network segmentation to restrict ColdFusion access to trusted administrative users and systems, and enforce strict privileged access controls. Monitor for suspicious authentication activity and code execution patterns on ColdFusion servers.
Patch guidance
Contact Adobe or review their official security bulletin for patched versions of ColdFusion 2025.8 and 2023.19 lines. Prioritize patching production systems serving critical business functions. Test patches in a non-production environment before deployment to ensure compatibility with existing configurations and extensions. Given the high-privilege requirement and scope-change nature of this vulnerability, even systems with restricted network exposure should be treated as high priority for patching.
Detection guidance
Monitor ColdFusion application logs and system logs for unexpected code execution, particularly calls to system execution functions or shell commands initiated from ColdFusion services. Look for unusual privilege escalation attempts or session takeover indicators on accounts that interact with ColdFusion. Network-level detection should focus on traffic patterns to ColdFusion from unexpected sources or at unusual times. Endpoint detection and response (EDR) tools should flag suspicious process creation tied to ColdFusion application pools or Java processes.
Why prioritize this
This vulnerability merits immediate attention due to its high CVSS score, direct code execution impact, and scope change allowing cross-boundary exploitation. While the attack requires high privileges and adjacent access—limiting the immediate threat surface—the absence of user interaction requirement and the potential for lateral movement once an attacker gains a foothold make this a serious risk in enterprise environments. Organizations with ColdFusion deployments should prioritize this alongside their most critical security updates.
Risk score, explained
The CVSS 3.1 score of 8.4 (HIGH) reflects multiple aggravating factors: arbitrary code execution capability (full confidentiality, integrity, and availability impact), a scope change indicating cross-boundary risk, and low attack complexity once access prerequisites are met. The mitigating factors—requirement for high privileges and adjacent network access—prevent a critical rating but do not substantially reduce the severity for organizations where these prerequisites may already exist due to other compromises or internal threats.
Frequently asked questions
Does this vulnerability affect ColdFusion running on-premises and cloud-hosted instances?
Yes, the vulnerability affects ColdFusion versions 2023.19, 2025.8 and earlier regardless of deployment model. Whether running in your data center, a private cloud, or a managed hosting service, any affected version presents the same risk. Consult your deployment documentation to confirm your ColdFusion version.
What does 'scope is changed' mean for this vulnerability?
Scope change indicates that a successful exploit can impact resources or systems beyond the vulnerable ColdFusion component itself. This means an attacker may be able to use a compromised ColdFusion instance to affect other connected systems, databases, or services, amplifying the risk of lateral movement and broader infrastructure compromise.
Is this vulnerability currently being exploited in the wild?
As of the published date, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting no confirmed active exploitation has been publicly reported. However, the absence of KEV listing does not guarantee the vulnerability has not been discovered or weaponized by threat actors—maintain vigilant monitoring and prioritize patches accordingly.
What if we cannot patch immediately?
Implement compensating controls: restrict network access to ColdFusion instances using firewalls and VLANs, enforce multi-factor authentication for administrative access, and maintain detailed logging of all ColdFusion activity. Reduce the attack surface by disabling unnecessary ColdFusion services and extensions. These measures reduce but do not eliminate risk; patching remains the definitive remediation.
This analysis is provided for informational purposes and reflects the vulnerability details as published on the date indicated. Organizations must verify all technical details, affected versions, and patch availability directly against Adobe's official security advisories before making deployment or remediation decisions. SEC.co assumes no liability for accuracy of vendor-provided information or for consequences of remediation actions taken based on this analysis. Always test security patches in non-production environments first. This document does not constitute legal, compliance, or security advice. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-47910MEDIUMDreamweaver Desktop File Read Vulnerability – Patch Guidance
- CVE-2025-14774HIGHABB T-MAC Plus Denial-of-Service Vulnerability (CVSS 7.4)
- CVE-2025-32348HIGHAndroid Local Privilege Escalation via Missing Permission Check
- CVE-2026-0272HIGHPalo Alto PAN-OS Privilege Escalation Vulnerability (PA-Series, VM-Series, Panorama)
- CVE-2026-21031HIGHAppBlock Authorization Flaw in Samsung Android—Risk & Patch Guidance
- CVE-2026-24724HIGHQNAP File Station 6 Authorization Bypass (CVSS 8.1)
- CVE-2026-3514HIGHPrefect 3.6.19 Authentication Bypass via Health Check Exemptions
- CVE-2026-35482HIGHalf.io Sandbox Escape Allows Admin Command Execution