ZDI 2026-04-15

ZDI-26-262: Adobe ColdFusion deleteVersion Directory Traversal Arbitrary File Deletion Vulnerability

CVE-2026-34619

Machine-generated analysis · WAYSCloud LLM

The advisory notes authentication is required but can be bypassed, which may expand the pool of potential attackers despite the access control requirement.

Context

Adobe ColdFusion is affected by a directory traversal vulnerability in the deleteVersion functionality. The vulnerability allows remote attackers to delete arbitrary files on the system. The advisory states that authentication is required but can be bypassed. Worth noting: the CVSS score is 5.4, indicating a medium severity rating.

Operator considerations

Check: Verify if Adobe ColdFusion is deployed and identify the version in use.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to delete arbitrary files on affected installations of Adobe ColdFusion. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 5.4. The following CVEs are assigned: CVE-2026-34619.

Read the full advisory on ZDI →