Adobe ColdFusion Directory Traversal Bug CVE-2026-27305 Lets Attackers Read Sensitive Files
A critical directory traversal vulnerability in Adobe ColdFusion, tracked as CVE-2026-27305, allows unauthenticated remote attackers to read arbitrary files from the server, and Adobe has released an emergency security update to patch the flaw.
Adobe has released an emergency security update to address a critical directory traversal vulnerability in ColdFusion that could allow unauthenticated attackers to read sensitive files from affected servers. The flaw, tracked as CVE-2026-27305 and assigned a CVSS score of 7.5, was disclosed by the Zero Day Initiative (ZDI) on April 15, 2026, after responsible disclosure to Adobe on March 20, 2026.
The vulnerability resides in the `fetchCFSettingFile` method of Adobe ColdFusion. The issue stems from improper validation of user-supplied path parameters before they are used in file operations. An attacker can exploit this flaw by sending a specially crafted HTTP request containing directory traversal sequences (such as `../`) to read arbitrary files on the server, including configuration files, credentials, and other sensitive data. No authentication is required to exploit the vulnerability, making it particularly dangerous for internet-facing ColdFusion instances.
The impact of this vulnerability is significant because it allows information disclosure in the context of the ColdFusion service account, which often has broad access to the underlying operating system. Attackers could leverage the disclosed information to pivot to other systems, escalate privileges, or gain deeper access to the target environment. Given ColdFusion's widespread use in enterprise web applications, the potential for data breaches is significant.
Adobe has addressed the vulnerability in security update APSB26-38, which is available for download from the Adobe Security Advisory page. The company recommends that all ColdFusion customers apply the update immediately. The advisory notes that the vulnerability affects multiple versions of ColdFusion, and users running unsupported versions are urged to upgrade to a supported release.
The vulnerability was discovered and reported to Adobe by Jonathan Lein of TrendAI Research. The disclosure timeline shows that the researcher reported the flaw on March 20 days before the coordinated public release of the advisory, giving Adobe time to develop and test the patch. The ZDI advisory credits Lein for his responsible disclosure.
This is the second significant Adobe ColdFusion vulnerability disclosed in recent months, following a critical remote code execution flaw patched in January 2026. The recurring nature of these vulnerabilities highlights the importance of maintaining up-to-date software and implementing robust input validation in enterprise applications. Security teams are advised to prioritize the deployment of APSB26-38 and to review their ColdFusion deployments for any signs of compromise.
For more details, refer to the ZDI advisory and the Adobe Security Bulletin.