CVE-2026-21274

High

Published: 13 January 2026

Published

13 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0005 16.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21274 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Adobe Dreamweaver. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the incorrect authorization vulnerability through timely application of vendor patches detailed in Adobe bulletin APSB26-01.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection scans and blocks malicious files intended for opening in Dreamweaver, preventing unauthorized code execution.

SI-16 Memory Protection partial match

prevent

Memory protection mechanisms like DEP and ASLR mitigate arbitrary code execution resulting from the authorization bypass.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Vulnerability enables arbitrary code execution via a malicious file opened by the user in the Dreamweaver client application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Dreamweaver Desktop versions 21.6 and earlier are affected by an Incorrect Authorization vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could leverage this vulnerability to bypass security measures and execute unauthorized…

code. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Deeper analysisAI

CVE-2026-21274 is an Incorrect Authorization vulnerability (CWE-863) affecting Adobe Dreamweaver Desktop versions 21.6 and earlier. Published on 2026-01-13, the issue enables arbitrary code execution in the context of the current user by bypassing security measures. It carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The vulnerability can be exploited by an attacker with local access who tricks a victim into opening a malicious file, requiring user interaction. Successful exploitation allows the attacker to execute unauthorized code, achieving high impacts on confidentiality, integrity, and availability within the user's context.

Adobe's security bulletin APSB26-01, available at https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html, details patches and mitigation guidance for addressing this vulnerability.

Details

CWE(s): CWE-863

Affected Products

adobe

dreamweaver

≤ 21.7

CVEs Like This One

CVE-2026-21267Same product: Adobe Dreamweaver

CVE-2026-21268Same product: Adobe Dreamweaver

CVE-2026-21271Same product: Adobe Dreamweaver

CVE-2025-21128Same product: Apple Macos

CVE-2026-21322Same product: Apple Macos

CVE-2025-21160Same product: Apple Macos

CVE-2026-21272Same product: Adobe Dreamweaver

CVE-2026-21345Same product: Apple Macos

CVE-2026-34630Same product: Apple Macos

CVE-2026-27284Same product: Apple Macos

References

https://helpx.adobe.com/security/products/dreamweaver/apsb26-01.html
Vendor Advisory · psirt@adobe.com