Arbitrary File Deletion in Adobe ColdFusion (CVE‑2026‑34619) Threatens Web Applications

Arbitrary File Deletion in Adobe ColdFusion (CVE‑2026‑34619) Threatens Web Applications

What It Is – A directory‑traversal flaw in the deleteVersion method of Adobe ColdFusion allows remote attackers, after bypassing authentication, to delete arbitrary files on the server. The vulnerability is tracked as CVE‑2026‑34619 and carries a CVSS 5.4 (Moderate) score.

Exploitability – Exploitation requires network access and a valid (or bypassed) authentication token. No public exploit code has been released, but the vulnerability is actively being weaponised in targeted attacks.

Affected Products – Adobe ColdFusion (all supported versions prior to the April 2026 security update).

TPRM Impact – Organizations that rely on ColdFusion‑based web services face potential service disruption, loss of critical configuration files, and downstream supply‑chain effects if the compromised service powers other business‑critical applications.

Recommended Actions –

• Deploy Adobe’s April 2026 security update (APS‑B26‑38) immediately.
• Harden file‑system permissions for the ColdFusion service account to least‑privilege.
• Enable Web Application Firewall (WAF) rules that block suspicious deleteVersion requests.
• Conduct a rapid inventory of all third‑party applications that depend on ColdFusion and reassess their risk posture.
• Monitor server logs for anomalous deleteVersion activity and trigger alerts on file‑deletion events.

Source: Zero Day Initiative Advisory – ZDI‑26‑262