Cyber Resilience

CVE-2026-21274

High

Published: 13 January 2026

Published
13 January 2026
Modified
14 January 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 10.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21274 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Dreamweaver. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 10.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-21274 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Dreamweaver Desktop versions 21.6 and earlier. Published on 2026-01-13, the issue enables arbitrary code execution in the context of the current user by bypassing security measures. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by an attacker with local access who tricks a victim into opening a malicious file, requiring user interaction. Successful exploitation allows the attacker to execute unauthorized code, achieving high impacts on confidentiality, integrity, and availability within the user's context.

Adobe's security bulletin APSB26-01, available at https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html, details patches and mitigation guidance for addressing this vulnerability.

EU & UK References

Vulnerability details

Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized…

more

code. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Vulnerability enables arbitrary code execution via a malicious file opened by the user in the Dreamweaver client application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-21268Same product: Adobe Dreamweaver
CVE-2026-21267Same product: Adobe Dreamweaver
CVE-2026-21271Same product: Adobe Dreamweaver
CVE-2026-21324Same product: Apple Macos
CVE-2026-27284Same product: Apple Macos
CVE-2026-21344Same product: Apple Macos
CVE-2026-34687Same product: Apple Macos
CVE-2026-34630Same product: Apple Macos
CVE-2025-27175Same product: Apple Macos
CVE-2026-27274Same product: Apple Macos

Affected Assets

adobe
dreamweaver
≤ 21.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the incorrect authorization vulnerability through timely application of vendor patches detailed in Adobe bulletin APSB26-01.

preventdetect

Malicious code protection scans and blocks malicious files intended for opening in Dreamweaver, preventing unauthorized code execution.

prevent

Memory protection mechanisms like DEP and ASLR mitigate arbitrary code execution resulting from the authorization bypass.

References