Jul 8, 2026·6 min read·7 visits
A critical unauthenticated path traversal vulnerability in Adobe ColdFusion RDS permits arbitrary file writes to the local filesystem, leading directly to unauthenticated remote code execution.
CVE-2026-48282 is a critical unauthenticated path traversal and arbitrary file write vulnerability in the Remote Development Services (RDS) component of Adobe ColdFusion. The vulnerability allows a remote, unauthenticated attacker to bypass directory boundaries and write arbitrary files, including CFML-based web shells, onto the host server. This flaw is actively exploited in the wild and enables full unauthenticated remote code execution under the privileges of the ColdFusion service account.
Adobe ColdFusion contains a critical vulnerability in its Remote Development Services (RDS) component, tracked under the identifier CVE-2026-48282. This service is designed to facilitate interaction between external development tools and the ColdFusion application server. When enabled, it processes operations such as database queries, directory administration, and file transfers over HTTP.
The vulnerability is classified under CWE-22 as an Improper Limitation of a Pathname to a Restricted Directory, or Path Traversal. The affected endpoints map to the administrative RDS query processing route, specifically accessed via /CFIDE/main/ide.cfm. The vulnerability allows unauthenticated attackers to exploit the filesystem management logic.
If the RDS service is enabled without proper authentication restrictions, an attacker can transmit crafted HTTP POST requests to perform arbitrary file system modifications. Writing malicious ColdFusion Markup Language (CFML) code into web-accessible folders results in full unauthenticated remote code execution.
The root cause of this vulnerability lies in the input processing of the coldfusion.rds.FileServlet class. When the RDS endpoint receives an HTTP request with the query parameter ACTION=FILEIO, control is dispatched to this servlet to handle filesystem operations. The class maintains several interior command processors including FileReadOperator and FileWriteOperator to service these tasks.
In vulnerable implementations, the FileWriteOperator processes a length-prefixed RDS RPC packet containing a user-specified destination file path. This raw path string is directly passed to the getFile(filename) method, which instantiates a java.io.File object. No path normalization, canonicalization, or sanitization checks are performed on this value before the file write routine is executed.
Because of this design flaw, the application accepts relative pathname sequences such as .. or absolute filesystem paths without restrictions. If RDS is enabled and authentication is disabled, any network attacker can supply a path targeting the server web root, bypassing directory access restrictions completely.
The remediation introduced in the security patch alters the entry point for file instantiation inside the FileServlet class. Instead of invoking the vulnerable getFile(filename) API directly, the patched application routes the path string through getCanonicalFile(filename) which forces the input through the static validator RdsFileSecurity.resolveCanonical(path).
// Vulnerable Implementation in FileServlet.java
public class FileServlet extends RdsCmdProcessorCompositeServlet {
// ...
// The vulnerability lies here: filename is trusted directly from input
File targetFile = FileServlet.this.getFile(filename);
// Writes content to the file without verifying bounds
writeFileContent(targetFile, payload);
}The following code segment shows the patched security validation logic implemented in RdsFileSecurity.java to neutralize path traversal attempts:
package coldfusion.rds;
import coldfusion.util.RB;
import java.io.File;
import java.io.IOException;
final class RdsFileSecurity {
// Restricts directory traversal structurally
static File resolveCanonical(String path) throws IOException {
if (path == null || path.isEmpty()) {
throw new IOException("Invalid Path");
} else if (path.indexOf(0) >= 0) {
throw new IOException("Null Byte Rejected");
} else if (containsParentDirSegment(path)) {
throw new IOException("Traversal Detected");
} else {
return new File(normalizeDriveLetter(path)).getCanonicalFile();
}
}
private static boolean containsParentDirSegment(String path) {
String p = path.replace('\\', '/');
return p.equals("..") || p.startsWith("../") || p.endsWith("/..") || p.contains("/../");
}
}This validator performs a sequence of verification steps. It screens the path parameter for empty input and rejects null bytes to avoid extension termination attacks. It then normalizes backward slashes to forward slashes and scans for the parent directory pattern ... Finally, the path is converted to its canonical form using the native filesystem API, ensuring that any directory escaping attempt is caught and rejected before filesystem interaction occurs.
To successfully trigger the arbitrary file write, the attacker must construct a request conforming to the custom RDS Remote Procedure Call (RPC) protocol. The body of the HTTP POST request uses a length-prefixed serialization mechanism. Each payload field is parsed sequentially according to a predefined index scheme.
The custom protocol header begins with an integer specifying the field count, followed by a colon separator. Each field is composed of a four-byte zero-padded length descriptor, a colon separator, and the raw payload data. For a file write operation, four distinct fields must be serialized in the RPC body: the target file path, the command indicator WRITE, an operational write flag, and the binary or text content of the target file.
An example of a serialized packet targeting a Windows environment appears as follows: 4:000043:C:\ColdFusion2025\cfusion\wwwroot\shell.cfm00005:WRITE00001:0000025:<cfoutput>Pwned</cfoutput>. The ColdFusion runtime parses this byte-by-byte, extracts the target destination path without verification, and proceeds to write the exact string payload to the filesystem inside the web application directory. When a subsequent HTTP GET request is issued to /shell.cfm, the server executes the newly added CFML tags.
The impact of CVE-2026-48282 is characterized by unauthenticated remote code execution. Because the vulnerability does not require authentication or user interaction, any network-adjacent or external attacker can exploit the vulnerability if the RDS service is exposed to the internet. This results in a CVSS v3.1 score of 10.0.
Successful execution of arbitrary CFML scripts allows full control over the underlying operating system. On Windows servers, ColdFusion historically runs under high-privilege system accounts such as NT AUTHORITY\SYSTEM, facilitating total host compromise. On Linux distributions, depending on configuration, attackers can execute commands as root or the designated service user, facilitating privilege escalation, lateral movement, or data exfiltration.
Active exploitation has been observed in the wild, which prompted CISA to add the vulnerability to its Known Exploited Vulnerabilities catalog. The rapid transition from initial vendor patch release to public, weaponized exploits makes this vulnerability a critical threat to unpatched instances.
Defensive engineering requires the immediate application of official software updates. Organizations must deploy ColdFusion 2025 Update 10 or ColdFusion 2023 Update 21 to ensure the sanitization code is loaded into the Java runtime environment. These updates fully replace the vulnerable class structures within the core jar archives.
If patches cannot be deployed immediately, the primary workaround is to disable the RDS service. This is accomplished in the ColdFusion Administrator panel under Security > RDS, or by commenting out the corresponding servlet mappings inside the web.xml deployment descriptor. Disabling RDS entirely removes the endpoint /CFIDE/main/ide.cfm from the active servlet dispatcher, neutralizing the attack path.
For instances where RDS is required for operational development, strict access control lists must be enforced. Administrators should restrict HTTP access to the administrative URI through reverse proxies, firewalls, or Web Application Firewalls (WAFs), allowing connections only from trusted developer subnetworks. Furthermore, strong password authentication must be enforced within the RDS configuration.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 |
| Attack Vector | Network (Unauthenticated) |
| CVSS Score | 10.0 |
| EPSS Score | 0.01021 (Percentile: 59.24%) |
| Impact | Remote Code Execution (RCE) / Arbitrary File Write |
| Exploit Status | Active / Weaponized |
| KEV Status | Listed (July 7, 2026) |
The software uses external input to construct a pathname that is intended to identify a file or directory that is located under a restricted directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Januscape (CVE-2026-53359) is a critical Use-After-Free vulnerability in the x86 Shadow MMU component of the Linux Kernel's KVM subsystem. A logic error in shadow page tracking permits unauthorized page reuse without validating architectural execution roles, leading to dangling pointers in reverse mapping (rmap) tracking entries during guest memory teardown.
An information disclosure vulnerability exists in the web-auth/webauthn-lib PHP library when using the default SimpleFakeCredentialGenerator without a configured secret. This allows unauthenticated remote attackers to determine if a username exists on the target application.
A Stored and Reflected Cross-Site Scripting (XSS) vulnerability was identified in the Rust web service library 'rama' prior to version 0.3.0-rc.1. When serving directories using DirectoryServeMode::HtmlFileList, the library improperly escapes directory names, filenames, and request path components before injecting them into dynamically generated HTML files. This allows attackers to execute malicious scripts inside user browser sessions.
The ha-mcp add-on for Home Assistant exposes its settings and security policy routes without authentication at the bare root path of TCP port 9583. This exposure allows unauthorized adjacent network clients to reconfigure tools, alter policies, and bypass human-in-the-loop approval gates. The vulnerability has been addressed in development build 7.6.0.dev393 and subsequent releases by restricting access to root-mounted routes exclusively to the Supervisor Ingress IP.
An authentication freshness bypass vulnerability exists in the WebAuthn re-authentication path of Flask-Security-Too versions 5.8.0 and 5.8.1. The flaw allows an authenticated attacker to elevate the freshness status of a victim session using their own WebAuthn credential, bypassing re-authentication constraints.
A Server-Side Request Forgery (SSRF) vulnerability exists in Weblate's private address validator when the VCS_RESTRICT_PRIVATE setting is enabled. By exploiting IPv6 transition mechanisms, such as NAT64, 6to4, or IPv4-compatible configurations, an attacker can bypass private network boundaries and access internal services.