CVE-2026-34626
Prototype Pollution in Adobe Acrobat Reader Enables Arbitrary File Read
Publication date: 2026-04-14
Last updated on: 2026-04-16
Assigner: Adobe Systems Incorporated
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| adobe | acrobat | From 24.0.0 (inc) to 24.001.30365 (exc) |
| adobe | acrobat_dc | From 15.008.20082 (inc) to 26.001.21431 (exc) |
| adobe | acrobat_reader_dc | From 15.008.20082 (inc) to 26.001.21431 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects certain versions of Acrobat Reader and is classified as an Improperly Controlled Modification of Object Prototype Attributes, also known as 'Prototype Pollution'.
It allows an attacker to manipulate the prototype of objects in the software, which can lead to unexpected behavior.
Specifically, this vulnerability could result in arbitrary file system reads with the privileges of the current user.
Exploitation requires user interaction, meaning the victim must open a malicious file to trigger the vulnerability.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to read arbitrary files on your system with the same permissions as the user running Acrobat Reader.
This could lead to unauthorized access to sensitive information stored on your device.
However, exploitation requires that you open a specially crafted malicious file, so user caution is important.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that users do not open malicious files that could exploit the Prototype Pollution issue in affected Acrobat Reader versions.
Additionally, update Acrobat Reader to a version later than 26.001.21411, 24.001.30360, or 24.001.30362, as these versions are affected.
Since exploitation requires user interaction, educating users about the risks of opening untrusted files can also help reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows arbitrary file system read access in the context of the current user after opening a malicious file, which could lead to unauthorized access to sensitive data.
Such unauthorized access to sensitive or personal data could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on data confidentiality and access.
However, exploitation requires user interaction, which may limit the risk but does not eliminate the compliance concerns related to data exposure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects specific versions of Acrobat Reader (26.001.21411, 24.001.30360, 24.001.30362 and earlier) and requires user interaction to exploit by opening a malicious file.
Detection on a network or system would primarily involve identifying if these vulnerable versions of Acrobat Reader are installed.
Since no specific detection commands or network indicators are provided, a general approach would be to check the installed Acrobat Reader version on endpoints.
- On Windows, use the command: "wmic product where "name like 'Adobe Acrobat Reader%'" get name, version"
- On macOS, use: "/Applications/Adobe Acrobat Reader.app/Contents/MacOS/AdobeReader --version" or check the app info.
- On Linux, if applicable, check the package version with commands like "dpkg -l | grep acrobat" or "rpm -qa | grep acrobat".
Monitoring for suspicious files being opened or unusual file system read activity related to Acrobat Reader could be part of a broader detection strategy, but no specific commands or signatures are provided.