Introduction
An unauthenticated path traversal flaw in Adobe ColdFusion now allows any network based attacker to read arbitrary files from the server's file system, with no user interaction required. Disclosed on April 14, 2026 as part of Adobe's APSB26-38 bulletin, CVE-2026-27305 carries a CVSS 3.1 base score of 8.6 and has been assigned Adobe's highest remediation urgency: Priority 1.
ColdFusion is a commercial rapid web application development platform originally created in 1995 and now maintained by Adobe. While its market share in the application development category is relatively small (estimated between 0.03 and 0.25 percent), ColdFusion is frequently deployed in enterprise environments where it serves business critical applications, making it a disproportionately attractive target for adversaries seeking sensitive data.
Technical Information
CVE-2026-27305 falls under CWE-22: Improper Limitation of a Pathname to a Restricted Directory, commonly referred to as path traversal. The core issue is that ColdFusion fails to adequately validate or sanitize file path inputs before resolving them against the server's file system. This allows an attacker to supply directory traversal sequences that escape the intended document root and reach arbitrary locations on disk.
The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N, which breaks down as follows:
| Metric | Value | Meaning |
|---|---|---|
| Attack Vector | Network | Exploitable remotely |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Scope | Changed | Impact extends beyond the vulnerable component |
| Confidentiality | High | Full read access to the file system |
| Integrity | None | No write capability |
| Availability | None | No denial of service |
The "Changed" scope designation is particularly noteworthy. It indicates that a successful exploit affects resources beyond the security scope of the vulnerable ColdFusion component itself. In practical terms, an attacker who exploits this flaw could extract configuration files, database credentials, API keys, or other sensitive data stored anywhere on the file system that the ColdFusion process has read access to. This data could then be leveraged to facilitate further compromise of the system or the broader network.
The patches released by Adobe update the adminapi, administrator, and CCS packages, which strongly suggests the traversal issue resides within the administrative or core container subsystem of ColdFusion. The fix likely introduces proper sanitization or restriction of file path inputs that were previously resolved against the file system without adequate boundary checks, preventing directory traversal sequences (such as ../) from escaping the intended document root.
From an attacker's perspective, the exploitation flow would proceed as follows:
- Identify an internet facing ColdFusion instance running a vulnerable version (Update 6 or earlier for ColdFusion 2025, Update 18 or earlier for ColdFusion 2023).
- Craft a request to the vulnerable endpoint within the administrative or core container subsystem, injecting directory traversal sequences into a file path parameter.
- The server resolves the manipulated path without proper validation, reading the targeted file from the file system.
- The contents of the file are returned to the attacker, who can then harvest credentials, configuration data, or other sensitive information.
Because no authentication is required and the attack complexity is low, this entire chain can be automated at scale against exposed ColdFusion deployments.
Patch Information
Adobe addressed CVE-2026-27305 on April 14, 2026 through security bulletin APSB26-38, classified at Adobe's highest urgency tier: Priority 1. Two fixed product updates were released simultaneously:
| Product | Vulnerable Versions | Fixed Version | Build Number |
|---|---|---|---|
| ColdFusion 2025 | Update 6 and earlier | Update 7 | 2025,0,07,331586 |
| ColdFusion 2023 | Update 18 and earlier | Update 19 | 2023,0,19,330899 |
Beyond the path traversal fix, both updates bundle additional hardening. ColdFusion 2025 Update 7 upgrades the embedded Tomcat engine to 10.1.53.0, while ColdFusion 2023 Update 19 upgrades its embedded Tomcat to 9.0.116.0.
The updates are cumulative, meaning administrators do not need to apply every intermediate update before jumping to the fixed release. Installation can be performed through two methods:
Using ColdFusion Administrator Package Manager: Navigate to Package Manager, select Packages, and click Check for Updates in the Core Server section. Once the update is detected, click Update to apply the latest core package and all installed packages. Restart ColdFusion for the changes to take effect.
Offline Installation: Download the hotfix installer JAR file directly:
- CF 2025 Update 7:
hotfix-007-331586.jarfromcfdownload.adobe.com - CF 2023 Update 19:
hotfix-019-330899.jarfromcfdownload.adobe.com
For JEE (non standalone) deployments, Adobe requires configuring the jdk.serialFilter JVM flag as an additional layer of deserialization protection. This flag is set in the application server startup file (e.g., Catalina.bat/sh for Tomcat, startWeblogic.cmd for WebLogic, or standalone.conf for WildFly/EAP) and should be verified as part of any update procedure.
After applying the updates, verify the installation by checking the ColdFusion build number:
- ColdFusion 2025 Update 7 should report
2025,0,07,331586 - ColdFusion 2023 Update 19 should report
2023,0,19,330899
Adobe also recommends applying the security configuration settings outlined in the ColdFusion 2025 and 2023 Lockdown Guides and updating the MySQL Java Connector to the latest version.
Credit for reporting CVE-2026-27305 was given to Jonathan Lein of TrendAI Research, who also reported two other issues in the same bulletin (CVE-2026-27282 and CVE-2026-34619).
Affected Systems and Versions
The following ColdFusion versions are confirmed vulnerable:
- ColdFusion 2025: Update 6 and all earlier updates
- ColdFusion 2023: Update 18 and all earlier updates
Any deployment of these versions, whether standalone or JEE based, that is reachable over the network is at risk. Internet facing instances are at the highest risk given that exploitation requires no authentication and no user interaction.
Vendor Security History
Adobe has a well documented history of patching critical vulnerabilities in ColdFusion. The APSB26-38 bulletin that addresses CVE-2026-27305 also patches multiple other critical flaws in the same release cycle, including an arbitrary code execution vulnerability (CVE-2026-27304), security feature bypasses, and a second path traversal vulnerability (CVE-2026-34619).
This pattern is not new. A previous ColdFusion arbitrary file read vulnerability, CVE-2024-20767, was actively exploited in the wild and was added to the CISA Known Exploited Vulnerabilities catalog. Security researchers also observed thousands of malicious requests targeting ColdFusion file read flaws during holiday periods, when security teams are typically understaffed.
The recurring nature of CWE-22 vulnerabilities in ColdFusion underscores the importance of both rapid patching and defense in depth measures such as the ColdFusion Lockdown Guides. While Adobe has not reported active exploitation of CVE-2026-27305 at the time of disclosure, the historical pattern strongly suggests that threat actors will reverse engineer the patches to develop working exploits in short order.
References
- Adobe Security Bulletin APSB26-38
- NVD Entry for CVE-2026-27305
- ColdFusion 2025 Update 7 Tech Notes
- ColdFusion 2023 Update 19 Tech Notes
- Tenable CVE-2026-27305
- CIS Advisory: Multiple Vulnerabilities in Adobe Products
- SentinelOne: CVE-2024-20767 Adobe ColdFusion Information Disclosure
- CrowdSec: CVE-2024-20767 Active Exploitation in Adobe ColdFusion
- Security Affairs: Thousands of ColdFusion Exploit Attempts
- ColdFusion 2023 Release Updates
