CVE-2026-47932: Adobe ColdFusion Path Traversal – HIGH Severity Security Bypass
Adobe ColdFusion versions 2023.19, 2025.8 and earlier contain a path traversal vulnerability that allows attackers to bypass security controls and access files outside their intended boundaries. An attacker must trick a user into opening a malicious file to exploit this flaw, making it a user-interaction-dependent attack. Once exploited, an attacker gains unauthorized access to sensitive data, can modify files, or disrupt system availability—with the ability to impact other systems or users connected to the vulnerable ColdFusion instance.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-22
- Affected products
- 29 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to access unauthorized files or directories outside the intended restrictions. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47932 is a CWE-22 path traversal vulnerability in Adobe ColdFusion that fails to properly restrict directory access. The vulnerability has a CVSS 3.1 score of 8.8 (HIGH) with a vector of CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating adjacent network attack surface, low attack complexity, no privilege requirement, and high impact across confidentiality, integrity, and availability. Critically, the scope is changed, meaning the vulnerability can affect resources beyond the vulnerable component itself. Exploitation requires user interaction—specifically, a victim must open a malicious file crafted to trigger the path traversal condition.
Business impact
Organizations running vulnerable ColdFusion instances face exposure of sensitive application data, configuration files, and potentially system-level information. The ability to modify files could enable attackers to inject malicious code, alter business logic, or corrupt data integrity. With cross-scope impact, a compromised ColdFusion server could serve as a pivot point to attack downstream systems, databases, or connected infrastructure. The user-interaction requirement limits mass exploitation but does not eliminate risk in environments where users regularly process files from external or semi-trusted sources.
Affected systems
All Adobe ColdFusion deployments running version 2023.19, 2025.8, or any earlier release are affected. Organizations should inventory ColdFusion instances across development, staging, and production environments. This includes both traditional on-premises installations and cloud-hosted deployments.
Exploitability
Exploitation requires an attacker to craft a malicious file and convince a user to open it—a social engineering component that reduces opportunistic exploitation but remains practical in targeted campaigns. Once the file is opened within a ColdFusion context, the vulnerability is trivial to trigger due to low attack complexity. The CVSS vector confirms no special privileges are needed, making this accessible to any external attacker who can deliver a malicious file. Current availability of public exploit code or active exploitation is not currently tracked in the KEV catalog.
Remediation
Immediate action: obtain and deploy the latest ColdFusion security update from Adobe that addresses CVE-2026-47932. Verify the patch version against Adobe's official security advisory. Interim mitigations include restricting file upload and processing capabilities, disabling unnecessary file handling features, and implementing strict input validation on any user-supplied file paths. Consider network segmentation to limit lateral movement if a ColdFusion instance is compromised.
Patch guidance
Contact Adobe or consult their official ColdFusion security advisory (published 2026-06-09, updated 2026-06-17) to identify the specific patched version for your release branch. Test patches in a non-production environment before deployment. Given the HIGH severity and broad impact scope, prioritize patching within 30 days. If an immediate patch is unavailable, implement compensating controls such as disabling file upload endpoints or restricting ColdFusion process permissions at the OS level.
Detection guidance
Monitor ColdFusion logs for suspicious file path patterns, including sequences like '../', '..\', or encoded path traversal attempts. Audit file access logs for unexpected reads or writes to sensitive directories outside the application's intended scope. Set alerts on process-level file access anomalies, particularly when ColdFusion accesses system directories or configuration folders. Network detection should flag inbound file transfers to ColdFusion services, especially from untrusted sources. Review recent ColdFusion process behavior for evidence of unauthorized file enumeration or exfiltration.
Why prioritize this
This vulnerability merits immediate attention due to its HIGH CVSS score (8.8), comprehensive impact on confidentiality, integrity, and availability, and scope change that enables cross-system compromise. Although exploitation requires user interaction, the low attack complexity and lack of privilege requirements make it practical for adversaries. The broad version range affected (2023.19 and earlier, 2025.8 and earlier) likely encompasses many production deployments. Organizations should treat this as a critical patch cycle item.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects the combination of a relatively easy exploitation path (adjacent network, low complexity, user interaction), complete compromise of all three security pillars (C:H, I:H, A:H), and the significant escalation risk posed by scope change. While user interaction is a limiting factor, it does not substantially reduce the score in CVSS 3.1 methodology because the vulnerability itself is trivial to exploit once triggered. Organizations with high file-processing volume or users handling external documents should consider this toward the top of their remediation queue.
Frequently asked questions
Can this vulnerability be exploited without user interaction?
No. The vulnerability requires a victim to open a malicious file within or processed by ColdFusion. However, social engineering to achieve this is a well-established attack pattern, so the user-interaction requirement should not be underestimated.
What versions of ColdFusion are affected?
Adobe ColdFusion versions 2023.19, 2025.8, and all earlier releases. Consult Adobe's advisory to confirm the first patched version for your specific release branch.
Can an attacker access any file on the server?
Path traversal vulnerabilities typically allow access to files readable by the ColdFusion process. The scope change noted in the CVSS vector indicates potential to affect resources beyond the ColdFusion application itself, such as shared system files or adjacent services. The actual extent depends on ColdFusion process permissions and system configuration.
Is there a public exploit available?
As of the published date (2026-06-09), this vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. However, proof-of-concept information may emerge quickly, so patching promptly is essential.
This analysis is provided for informational purposes and reflects threat intelligence as of the publication and modification dates (2026-06-09 to 2026-06-17). Patch version numbers, specific remediation steps, and availability of updates must be verified against Adobe's official ColdFusion security advisories. CVSS scores and affected version information are sourced from authoritative vulnerability data. No exploit code or weaponized proof-of-concept instructions are provided. Organizations should conduct their own testing and risk assessment before deploying patches in production environments. SEC.co assumes no liability for misuse of this information or incomplete mitigation strategies. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-34657MEDIUMPath Traversal in CAI Content Credentials c2pa-web—MEDIUM Severity
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-0270HIGHCortex XSOAR Path Traversal on Linux — Exploit Requirements & Patching Guide
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers