Description
ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
Published: 2026-06-09
Score: 8.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ColdFusion versions up to 2025.8 contain an Incorrect Authorization flaw (CWE-863) that allows an attacker with high privileges to execute code in the context of the current ColdFusion user without requiring any user interaction. Once leveraged, the flaw elevates the attacker’s access or control over the victim’s account or session. The vulnerability enables arbitrary code execution in a changed‑scope scenario.

Affected Systems

Adobe ColdFusion versions 2023.19, 2025.8, and all earlier releases are affected. Any installation of these versions should be assessed for current patch status.

Risk and Exploitability

The CVSS score of 8.4 categorizes this vulnerability as high severity. EPSS is not available, so the exact exploitation probability is unknown; however, it is not listed in the CISA KEV catalog. Exploitation does not require user interaction, and a high‑privileged attacker who can access the ColdFusion environment can exploit the flaw to execute arbitrary code or elevate privileges. The likely attack vector is an internal or super‑user scenario, inferred from the description that the flaw is exploitable without user interaction.

Generated by OpenCVE AI on June 9, 2026 at 22:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe ColdFusion security update (e.g., version 2025.9 or later) or the hotfix listed in the Adobe advisory.
  • Configure ColdFusion to run under a least‑privileged account and enforce strict access controls on all services.
  • Deploy a Web Application Firewall or equivalent monitoring to detect and block attempts to exploit arbitrary code execution patterns.

Generated by OpenCVE AI on June 9, 2026 at 22:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe coldfusion
Vendors & Products Adobe
Adobe coldfusion

Tue, 09 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
Description ColdFusion versions 2023.19, 2025.8 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. A high-privileged attacker could exploit this vulnerability to gain elevated access or control over the victim's account or session. Exploitation of this issue does not require user interaction. Scope is changed.
Title ColdFusion | Incorrect Authorization (CWE-863)
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Adobe Coldfusion
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T20:33:38.859Z

Reserved: 2026-05-20T15:50:31.361Z

Link: CVE-2026-47929

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T21:17:22.813

Modified: 2026-06-09T21:17:22.813

Link: CVE-2026-47929

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:15:18Z

Weaknesses