Description
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Published: 2026-05-12
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Incorrect Authorization flaw in Adobe Connect allows an attacker to inject malicious scripts into a web page and execute arbitrary code within the victim’s user context. The vulnerability enables a remote attacker to elevate privileges or gain full control over the victim’s account, effectively allowing the execution of arbitrary code. It originates from insufficient access checks when processing user-supplied input.

Affected Systems

Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected. Any deployment of these software releases is susceptible unless updated to a newer, non‑vulnerable version.

Risk and Exploitability

The CVSS score of 9.3 indicates a very high overall risk. The attack requires a victim to visit a maliciously crafted URL or interact with a compromised web page, so the vector is remote web-based with user interaction. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, the high severity and the fact that an attacker could inject code make this vulnerability critical for any organization running affected versions of Adobe Connect.

Generated by OpenCVE AI on May 12, 2026 at 20:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe Connect security update or upgrade to a non‑affected version from Adobe’s official distribution channels.
  • If the patch is not yet available, restrict or disable the affected feature that permits script injection and enforce strict input validation.
  • Educate users to avoid clicking suspicious URLs, and monitor web traffic for anomalous requests that may indicate exploitation attempts.

Generated by OpenCVE AI on May 12, 2026 at 20:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe adobe Connect
Vendors & Products Adobe
Adobe adobe Connect

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
Title Adobe Connect | Incorrect Authorization (CWE-863)
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Adobe Adobe Connect
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-05-13T03:58:21.118Z

Reserved: 2026-03-30T17:30:36.493Z

Link: CVE-2026-34660

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T19:16:30.930

Modified: 2026-05-12T19:16:30.930

Link: CVE-2026-34660

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:15:26Z

Weaknesses