CVE-2026-34626 - Vulnerability Details

- Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)

Description

Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Published: 2026-04-14

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw is an improper control over object prototype attributes, a form of prototype pollution. When a malicious PDF file is opened, an attacker can trigger code that reads an arbitrary file from the victim’s local file system. The weakness is classified as CWE‑1321 and could expose sensitive data. The impact is limited to file read under the current user’s privileges, but it can still compromise confidentiality.

Affected Systems

Adobe Acrobat Reader 26.001.21411, 24.001.30360, and 24.001.30362, along with all earlier releases, are impacted. This affects all users who have not upgraded past these revisions. The vulnerability applies to any installation of Acrobat Reader, though the operating system is not specified in the advisory.

Risk and Exploitability

The CVSS base score of 6.3 indicates a moderate risk level. The EPSS score is not available. The issue is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. Exploitation requires user interaction to open a crafted PDF file, meaning the threat is user‑dependent. Because the attack is confined to local file read, the overall risk is moderate, but any environment handling PDF documents should consider patching promptly.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Acrobat Reader

affected

Version	Status	Constraints
`0`	affected	≤ 26.001.21411

Configuration 1 [-]

AND

OR	cpe:2.3:a:adobe:acrobat:::::classic:::*
	cpe:2.3:a:adobe:acrobat_dc:::::continuous:::*
	cpe:2.3:a:adobe:acrobat_reader_dc:::::continuous:::*

OR	cpe:2.3:o:apple:macos:-:::::::*
	cpe:2.3:o:microsoft:windows:-:::::::*

No data.

Vendor Product Confidence Versions

Adobe

Acrobat Reader

100%

Version	Status	Scheme	Platform
`[0,26.001.21411]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Adobe Acrobat Reader to the latest version that supersedes 26.001.21411, 24.001.30360, and 24.001.30362.
Configure Adobe Reader to require user confirmation before executing scripts or opening embedded objects.
Avoid opening PDF files from unknown or untrusted sources.

Generated by OpenCVE AI on April 14, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0006.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://helpx.adobe.com/security/products/acrobat/apsb26-44.html

History

Thu, 16 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe acrobat Adobe acrobat Dc Adobe acrobat Reader Dc Apple Apple macos Microsoft Microsoft windows
CPEs		cpe:2.3:a:adobe:acrobat:::::classic:::* cpe:2.3:a:adobe:acrobat_dc:::::continuous:::* cpe:2.3:a:adobe:acrobat_reader_dc:::::continuous:::* cpe:2.3:o:apple:macos:-:::::::* cpe:2.3:o:microsoft:windows:-:::::::*
Vendors & Products		Adobe acrobat Adobe acrobat Dc Adobe acrobat Reader Dc Apple Apple macos Microsoft Microsoft windows

Wed, 15 Apr 2026 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe acrobat Reader
Vendors & Products		Adobe Adobe acrobat Reader

Tue, 14 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 14 Apr 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Title		Acrobat Reader \| Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
Weaknesses		CWE-1321
References		https://helpx.adobe.com/security/products/acrobat/apsb26-44.html
Metrics		cvssV3_1 `{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}`

Subscriptions

Adobe Acrobat Acrobat Dc Acrobat Reader Acrobat Reader Dc

Apple Macos

Microsoft Windows

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-04-14T16:18:04.679Z

Updated: 2026-04-14T17:53:05.039Z

Reserved: 2026-03-30T17:30:36.490Z

Link: CVE-2026-34626

Vulnrichment

Updated: 2026-04-14T17:53:00.829Z

NVD

Status : Analyzed

Published: 2026-04-14T17:16:51.283

Modified: 2026-04-16T14:14:59.690

Link: CVE-2026-34626

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T15:30:06Z

Weaknesses

CWE-1321

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object