CVE-2026-34659
Published: 12 May 2026
Summary
CVE-2026-34659 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Adobe Connect Desktop Application. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 45.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier contain a deserialization of untrusted data flaw (CWE-502) that permits arbitrary code execution in the context of the current user. The vulnerability carries a CVSS 3.1 score of 9.6 with network attack vector, low complexity, no required privileges, required user interaction, and changed scope, resulting in complete loss of confidentiality, integrity, and availability.
An unauthenticated attacker can trigger the issue by supplying a maliciously crafted URL or compromised web page that the victim must visit or interact with, after which code executes under the victim's privileges and can affect resources beyond the original security scope.
The official Adobe advisory APSB26-50 at https://helpx.adobe.com/security/products/connect/apsb26-50.html addresses remediation steps for affected Connect installations. The associated EPSS score remains flat at 0.0374 with no material increase observed after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-29740
Vulnerability details
Adobe Connect versions 2025.9.15, 2025.8.157 and earlier are affected by a Deserialization of Untrusted Data vulnerability that could result in arbitrary code execution in the context of the current user. An attacker could exploit this vulnerability to execute arbitrary code.…
more
Exploitation of this issue requires user interaction in that a victim must visit a maliciously crafted URL or interact with a compromised web page. Scope is changed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Deserialization RCE triggered by victim visiting malicious URL or compromised page directly maps to drive-by compromise and malicious link user execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces validation of untrusted serialized input before deserialization, blocking the malicious payload that triggers arbitrary code execution.
Requires timely application of the vendor patch (APSB26-50) that eliminates the deserialization flaw in affected Adobe Connect versions.
Provides malicious-code detection and blocking mechanisms that can intercept the post-deserialization payload execution triggered via the crafted URL.