CVE-2026-34659 - Vulnerability Details

- Adobe Connect | Deserialization of Untrusted Data (CWE-502)

Description

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.

Published: 2026-05-12

Score: 9.6 Critical

EPSS: 3.7% Low

KEV: No

Impact:

Action:

Analysis

Impact

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are vulnerable to a deserialization of untrusted data flaw (CWE‑502). The weakness is exploitable to run arbitrary code under the context of the user whose browser visits a crafted URL or a compromised web page. The vulnerability changes the scope of the attack, allowing the attacker to gain control over the entire client application. Consequently, the impact is a high‑severity compromise of confidentiality, integrity, and availability for any affected user.

Affected Systems

Adobe Connect by Adobe, specifically versions 2025.9.15, 2025.8.157 and earlier. There is no mention of other versions or editions.

Risk and Exploitability

The CVSS score of 9.6 indicates critical severity. The EPSS score of 3% indicates a low but nonzero probability of exploitation, though the vulnerability is not part of the KEV catalogue. The attack requires user interaction – a victim must visit a maliciously crafted URL or interact with a compromised web page – and then the deserialization flaw is triggered. Given the catastrophic consequence of arbitrary code execution, the overall risk to organizations using these versions is extremely high.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

Adobe Connect

affected

Version	Status	Constraints
`0`	affected	≤ 2025.8.157

Configuration 1 [-]

OR	cpe:2.3:a:adobe:connect_desktop_application::::::macos::*
	cpe:2.3:a:adobe:connect_desktop_application:2025.9.15:::::windows::

No data.

Vendor Product Confidence Versions

Adobe

Adobe Connect

100%

Version	Status	Scheme	Platform
`[0,2025.8.157]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Adobe Connect to a patch version newer than 2025.9.15
If an update is not immediately possible, restrict Connect service to trusted internal networks and block external access from untrusted hosts
Deploy a web application firewall or equivalent filtering to block crafted URLs and monitor traffic for known deserialization attack patterns
Limit the number of users with administrative privileges and enforce strong authentication to reduce the impact of a successful exploit

Generated by OpenCVE AI on May 14, 2026 at 14:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.03743.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://helpx.adobe.com/security/products/connect/apsb26-50.html

History

Wed, 13 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe connect Desktop Application
CPEs		cpe:2.3:a:adobe:connect_desktop_application::::::macos::* cpe:2.3:a:adobe:connect_desktop_application:2025.9.15:::::windows::
Vendors & Products		Adobe connect Desktop Application

Wed, 13 May 2026 10:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 13 May 2026 00:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe adobe Connect
Vendors & Products		Adobe Adobe adobe Connect

Tue, 12 May 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Title		Adobe Connect \| Deserialization of Untrusted Data (CWE-502)
Weaknesses		CWE-502
References		https://helpx.adobe.com/security/products/connect/apsb26-50.html
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}`

Subscriptions

Adobe Adobe Connect Connect Desktop Application

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-05-12T18:35:20.208Z

Updated: 2026-05-13T09:57:22.185Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34659

Vulnrichment

Updated: 2026-05-13T09:56:47.716Z

NVD

Status : Analyzed

Published: 2026-05-12T19:16:30.800

Modified: 2026-05-13T19:38:48.113

Link: CVE-2026-34659

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:45:22Z

Weaknesses

CWE-502

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object