CVE-2026-34621
Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)
Description
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
In plain language
AI Act nowCVE-2026-34621 is a serious Adobe Acrobat Reader flaw where opening a specially made document can let an attacker run code on your computer as the logged-in user—this is a high priority to address for businesses that use Acrobat Reader.
CVE-2026-34621 is a Prototype Pollution (CWE-1321) issue in Adobe Acrobat Reader that enables code execution in the current user context via crafted input, triggered when a user opens a malicious file; it is listed in CISA KEV.
What to do now
- Check which product you use and your installed version of Adobe Acrobat DC or Adobe Acrobat.
- If your version is older than 26.001.21411 (Acrobat DC) or older than 24.001.30362 (Acrobat), plan an update immediately.
- Update Adobe Acrobat DC to 26.001.21411 or later, or update Adobe Acrobat to 24.001.30362 or later.
- Until you’re updated, avoid opening unexpected PDFs and treat external documents as high-risk (use your organization’s standard “safe handling” process).
CVSS Vector Breakdown
AV:LAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:RUser InteractionS:CScopeC:HConfidentialityI:HIntegrityA:HAvailabilityWeaknesses
Affected Products
Exploitability
Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
1 techniqueReferences
- CISA orders feds to patch max severity ColdFusion flaw by Fridayen-us·BleepingComputer·
- Max severity Adobe ColdFusion flaw now exploited in attacksen-us·BleepingComputer·
- Adobe patches seven max severity ColdFusion, Campaign flawsen-us·BleepingComputer·
- Майский «В тренде VM»: громкие уязвимости в Linux, ActiveMQ, SharePoint и Acrobat Readerru·Positive Technologies (Хабр)· Summary only·
- Patch Tuesday, April 2026 Editionen-us·Krebs on Security· Source-only·
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-34621 and every CVE in our database. Create a free account — no credit card required.
Create Free Account