CVE-2026-34619
Path Traversal in Adobe ColdFusion Allows Security Bypass
Publication date: 2026-04-14
Last updated on: 2026-04-16
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2023 |
| adobe | coldfusion | 2025 |
| adobe | coldfusion | 2023 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to bypass security features and access unauthorized files or directories outside intended restrictions. This could potentially lead to exposure of sensitive or protected data.
Such unauthorized access may impact compliance with standards and regulations like GDPR or HIPAA, which require strict controls on data access and protection of personal or sensitive information.
However, the provided information does not explicitly describe the direct effects on compliance with these standards.
Can you explain this vulnerability to me?
This vulnerability affects ColdFusion versions 2023.18, 2025.6 and earlier. It is an Improper Limitation of a Pathname to a Restricted Directory, also known as a Path Traversal vulnerability. This means that an attacker can bypass security restrictions and access files or directories that should be off-limits.
The attacker does not need any user interaction to exploit this vulnerability, making it easier to leverage.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to bypass security features and access unauthorized files or directories outside the intended restricted areas.
Such unauthorized access could lead to potential disruption or damage, as indicated by the CVSS score which shows a high impact on availability.