CVE-2026-34622 - Vulnerability Details

- Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)

Description

Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-04-14

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Adobe Acrobat Reader contains a prototype pollution flaw that allows an attacker to modify object prototype attributes during the processing of a PDF file. This weakness, identified as CWE‑1321, can result in arbitrary code execution in the context of the current user. The vulnerability arises from an improper control over how JavaScript objects are altered when a crafted file is opened.

Affected Systems

Adobe Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and all earlier releases are affected. All editions of Acrobat Reader that ship with these version numbers on any supported operating system are vulnerable.

Risk and Exploitability

The CVSS score of 8.6 categorizes this flaw as high severity, indicating substantial risk to confidentiality, integrity, and availability. Exploitation requires the victim to open a malicious PDF file, so the attack vector depends on the user’s interaction with the document. The severity rating and user‑interaction requirement highlight the need for proactive remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Acrobat Reader

affected

Version	Status	Constraints
`0`	affected	≤ 26.001.21411

Configuration 1 [-]

AND

OR	cpe:2.3:a:adobe:acrobat:::::classic:::*
	cpe:2.3:a:adobe:acrobat_dc:::::continuous:::*
	cpe:2.3:a:adobe:acrobat_reader_dc:::::continuous:::*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Adobe

Acrobat Reader

100%

Version	Status	Scheme	Platform
`[0,26.001.21411]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Adobe Acrobat Reader update, preferably the version 26.001.21411 release or later.
Avoid opening PDF files from untrusted or unknown sources.
Implement file‑type filtering and content‑type validation on email gateways and web servers to block executable PDFs.
Monitor Adobe security advisories and the provided reference link for additional updates or work‑arounds.

Generated by OpenCVE AI on April 14, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00235.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/acrobat/apsb26-44.html

History

Thu, 16 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe acrobat Adobe acrobat Dc Adobe acrobat Reader Dc Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:acrobat:::::classic:::* cpe:2.3:a:adobe:acrobat_dc:::::continuous:::* cpe:2.3:a:adobe:acrobat_reader_dc:::::continuous:::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Adobe acrobat Adobe acrobat Dc Adobe acrobat Reader Dc Apple Apple macos Microsoft Microsoft windows

Wed, 15 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe acrobat Reader
Vendors & Products		Adobe Adobe acrobat Reader

Tue, 14 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		Acrobat Reader \| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
Weaknesses		CWE-1321
References		https://helpx.adobe.com/security/products/acrobat/apsb26-44.html
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Adobe Acrobat Acrobat Dc Acrobat Reader Acrobat Reader Dc

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-04-14T16:18:05.530Z

Updated: 2026-04-15T03:58:27.650Z

Reserved: 2026-03-30T17:30:36.490Z

Link: CVE-2026-34622

Vulnrichment

Updated: 2026-04-14T17:53:26.189Z

NVD

Status : Analyzed

Published: 2026-04-14T17:16:51.110

Modified: 2026-04-16T14:14:56.200

Link: CVE-2026-34622

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses

CWE-1321

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object