CVE-2026-34615
Published: 14 April 2026
Summary
CVE-2026-34615 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-3 (Malicious Code Protection).
Deeper analysis
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability, identified as CVE-2026-34615 and assigned CWE-502. The flaw can result in arbitrary code execution in the context of the current user and is rated 9.3 under CVSS 3.1 with network attack vector, low complexity, no required privileges, required user interaction, and changed scope.
An unauthenticated attacker can exploit the issue by supplying a maliciously crafted URL or compromised web page that the victim must visit or interact with, enabling injection of malicious scripts that may yield elevated access or control over the victim's account or session.
The Adobe security advisory at https://helpx.adobe.com/security/products/connect/apsb26-37.html provides further details on the issue. The EPSS score remains flat at a peak and current value of 0.0451 with no material rise after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22671
Vulnerability details
Adobe Connect versions 2025.3, 12.10 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to inject malicious scripts…
more
into a web page, potentially gaining elevated access or control over the victim's account or session. Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2026-34615 is a deserialization vulnerability in Adobe Connect, a public-facing web application, enabling remote arbitrary code execution with no privileges required (AV:N/AC:L/PR:N), directly mapping to Exploit Public-Facing Application (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of untrusted data before deserialization, blocking the malicious serialized payload that enables arbitrary code execution.
Deploys malicious-code detection mechanisms that can identify and block the injected scripts or code resulting from successful deserialization.
Enforces integrity verification on inputs and software components, allowing detection of unauthorized modifications introduced via the crafted URL or web page.