Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
Dreamweaver Desktop versions 21.7 and earlier are affected by an Incorrect Authorization vulnerability that could lead to arbitrary file system read. An attacker could exploit this vulnerability to access sensitive files and directories outside the intended access scope. Exploitation of this issue requires user interaction in that a victim must open a malicious file. Scope is changed.
AnalysisAI
Incorrect Authorization in Adobe Dreamweaver Desktop 21.7 and earlier enables arbitrary file system reads beyond the application's intended access scope when a victim opens a specially crafted malicious file. The vulnerability (CWE-863) results in a scope change - meaning access to files outside the component's normal boundary is achieved - with high confidentiality impact and no integrity or availability loss. No public exploit code has been identified and this CVE does not appear in the CISA KEV catalog at time of analysis, but the high confidentiality impact and low attack complexity make it a meaningful risk for environments where users routinely open externally sourced project files.
Technical ContextAI
Adobe Dreamweaver Desktop is a professional web and application development IDE that processes complex project files, templates, and site configurations. CWE-863 (Incorrect Authorization) indicates the application fails to properly enforce authorization checks when resolving or reading file system paths during the processing of user-supplied or externally crafted files - it does not correctly verify that the requested resource falls within the permitted access scope. The CVSS Scope:Changed (S:C) component is technically significant: the vulnerability's impact crosses the security boundary of the application itself, allowing reads from areas of the file system the application should not normally be able to access. The CPE string cpe:2.3:a:adobe:dreamweaver_desktop:*:*:*:*:*:*:*:* confirms all platform variants of the desktop edition are affected through version 21.7. The 'Authentication Bypass' tag in the intelligence data aligns with the PR:N CVSS component - the attacker does not need to authenticate to the application to trigger the flaw.
RemediationAI
The primary remediation is to upgrade Adobe Dreamweaver Desktop to a version beyond 21.7 per the vendor advisory APSB26-62 at https://helpx.adobe.com/security/products/dreamweaver/apsb26-62.html. Note that the exact fixed version number is not independently confirmed from the available input data - consult the advisory directly for the specific patched release. If immediate patching is not feasible, the most effective compensating control is to restrict opening of Dreamweaver project files or site definitions received from untrusted or external sources, as exploitation requires a victim to open a malicious file. Applying OS-level read restrictions (e.g., AppLocker, SELinux policies, or macOS sandbox profiles) to limit Dreamweaver's file system access scope could reduce the blast radius of exploitation, though this may interfere with legitimate Dreamweaver functionality. Educating Dreamweaver users about the risk of opening unsolicited project files - particularly from email attachments, file-sharing platforms, or unverified repositories - is a meaningful interim control given the required user interaction.
More in Dreamweaver Desktop
View allArbitrary file system read in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to access sensitive f
Arbitrary code execution in Adobe Dreamweaver Desktop 21.7 and earlier stems from a vulnerable third-party component bun
Arbitrary code execution in Adobe Dreamweaver Desktop versions 21.7 and earlier allows attackers to run code in the cont
Arbitrary file system read in Adobe Dreamweaver Desktop 21.7 and earlier allows a local attacker to access sensitive fil
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35805
GHSA-4pfm-pggq-vxqq