Skip to main content

Adobe Campaign Classic CVE-2026-48286

| EUVDEUVD-2026-40337 CRITICAL
Incorrect Authorization (CWE-863)
2026-06-30 adobe GHSA-f44v-356v-7qcf
10.0
CVSS 3.1 · Vendor: adobe
Share

Severity by source

Vendor (adobe) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Network-reachable authorization bypass needing no auth or interaction yields PR:N/UI:N/AC:L, and code execution crossing the component boundary justifies S:C with full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

Primary rating from Vendor (adobe).

CVSS VectorVendor: adobe

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 16:22 vuln.today
CVE Published
Jun 30, 2026 - 15:08 nvd
CRITICAL 10.0

DescriptionCVE.org

Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue does not require user interaction. Scope is changed.

AnalysisAI

Remote code execution in Adobe Campaign Classic (ACC) version 7.4.3 build 9396 and earlier allows unauthenticated attackers to bypass authorization controls and run arbitrary code in the context of the current user. The flaw stems from an incorrect authorization check (CWE-863) reachable over the network with no user interaction, and the changed scope means impact can extend beyond the vulnerable component. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed ACC endpoint over network
Delivery
Send crafted request bypassing authorization check
Exploit
Invoke privileged server-side functionality
Execution
Execute arbitrary code as ACC service
Impact
Pivot across changed scope to host

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Adobe Campaign Classic version 7.4.3 build 9396 and earlier, per the CVSS vector AV:N/AC:L/PR:N/UI:N and the description's explicit note that exploitation does not require user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available severity signals point to top-tier priority: the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H scores a maximum 10.0, indicating network-reachable, low-complexity, unauthenticated exploitation with no user interaction and full confidentiality, integrity and availability impact across a changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reachability to an internet-exposed Adobe Campaign Classic server sends crafted requests to a privileged endpoint, abusing the incorrect authorization check to invoke functionality that should require authentication. Because no credentials and no user interaction are needed, the attacker chains the bypass into arbitrary code execution in the context of the ACC service, gaining a foothold on the host. …
Remediation Patch available per vendor advisory: upgrade Adobe Campaign Classic to the fixed release identified in Adobe Security Bulletin APSB26-69 (https://helpx.adobe.com/security/products/campaign/apsb26-69.html), as builds at or below 7.4.3 build 9396 are vulnerable; the exact patched build should be confirmed directly from that bulletin before deployment as a specific fix version was not included in the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all ACC deployments and identify systems running version 7.4.3 build 9396 or earlier; implement network segmentation to restrict ACC access to trusted internal networks only; enable detailed logging of all authentication and authorization events. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-48286 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy