CVE Tools

CVE-2026-34621

Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)

Published: Apr 11, 2026Updated: Apr 13, 2026 Sources: CVE List NVD BDUCWE-1321

Description

Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

In plain language

AI Act now

CVE-2026-34621 is a serious Adobe Acrobat Reader flaw where opening a specially made document can let an attacker run code on your computer as the logged-in user—this is a high priority to address for businesses that use Acrobat Reader.

Executive summary

CVE-2026-34621 is a Prototype Pollution (CWE-1321) issue in Adobe Acrobat Reader that enables code execution in the current user context via crafted input, triggered when a user opens a malicious file; it is listed in CISA KEV.

If affected, business impact
Full user account compromiseMalware installation riskRansomware staging capabilityBusiness-critical work disruption

What to do now

  1. Check which product you use and your installed version of Adobe Acrobat DC or Adobe Acrobat.
  2. If your version is older than 26.001.21411 (Acrobat DC) or older than 24.001.30362 (Acrobat), plan an update immediately.
  3. Update Adobe Acrobat DC to 26.001.21411 or later, or update Adobe Acrobat to 24.001.30362 or later.
  4. Until you’re updated, avoid opening unexpected PDFs and treat external documents as high-risk (use your organization’s standard “safe handling” process).
Patch / advisory Usually a quick update

CVSS Vector Breakdown

AV:LAC:LPR:NUI:RS:CC:HI:HA:H
Exploitability
AV:LAttack Vector
Local
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:RUser Interaction
Required
Scope
S:CScope
Changed
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Affected Products

and 5 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:Apr 13, 2026
Remediation due:Apr 27, 2026

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Official Patch Available

Attack Graph

Products CVE Techniques Tactics

Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/ + scroll to zoom, or go fullscreen.

MITRE ATT&CK

1 technique
Execution
View detailed technique mapping

References

and 2 more references View all →
5

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-34621 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows