Adobe ColdFusion Vulnerability CVE-2026-34619 Allows Arbitrary File Deletion via Directory Traversal
A newly disclosed vulnerability in Adobe ColdFusion, tracked as CVE-2026-34619, allows authenticated remote attackers to delete arbitrary files through a directory traversal flaw in the deleteVersion method.
Adobe has released a security update to address CVE-2026-34619, a directory traversal vulnerability in ColdFusion that could allow authenticated remote attackers to delete arbitrary files on affected systems. The flaw, disclosed by the Zero Day Initiative (ZDI) on April 15, 2026, carries a CVSS score of 5.4 and affects the deleteVersion method of the popular web application platform.
The vulnerability stems from improper validation of user-supplied data before it is used in file operations. Specifically, the deleteVersion method fails to sanitize input, enabling an attacker to traverse directories and delete files outside the intended scope. While authentication is required to exploit the flaw, the ZDI advisory notes that the existing authentication mechanism can be bypassed, potentially allowing unauthenticated exploitation in some scenarios.
Successful exploitation could allow an attacker to delete files in the context of the ColdFusion service account. This could lead to denial of service, data loss, or further compromise of the underlying server if critical system files are removed. The vulnerability was discovered by Jonathan Lein of TrendAI Research and reported to Adobe on March 25, 2026.
Adobe has addressed the issue in a security update detailed in advisory APSB26-38. The update is available for all supported versions of ColdFusion. Administrators are strongly urged to apply the patch immediately to mitigate the risk of exploitation.
This vulnerability is part of a broader trend of file operation flaws in enterprise software that can lead to arbitrary file deletion or overwrite. Such vulnerabilities are particularly dangerous because they can be chained with other exploits to achieve remote code execution or privilege escalation. The ZDI has classified this as a coordinated public release, with the advisory updated on the same day as the disclosure.
Organizations running Adobe ColdFusion should prioritize patching, especially if the application is exposed to the internet or accessible by untrusted users. As with many Adobe products, ColdFusion is a frequent target for attackers due to its widespread deployment in enterprise environments. The company has not reported active exploitation in the wild, but the availability of detailed technical information in the advisory increases the risk of attacks.