{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34626", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "state": "PUBLISHED", "assignerShortName": "adobe", "dateReserved": "2026-03-30T17:30:36.490Z", "datePublished": "2026-04-14T16:18:04.679Z", "dateUpdated": "2026-04-14T17:53:05.039Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T16:26:46.825Z"}, "title": "Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)", "datePublic": "2026-04-14T17:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1321", "description": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)", "type": "CWE"}]}], "affected": [{"vendor": "Adobe", "product": "Acrobat Reader", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "26.001.21411", "versionType": "semver"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.</p>"}]}], "references": [{"url": "https://helpx.adobe.com/security/products/acrobat/apsb26-44.html", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "availabilityRequirement": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "environmentalScore": 6.3, "environmentalSeverity": "MEDIUM", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "LOW", "modifiedAttackVector": "LOCAL", "modifiedAvailabilityImpact": "NONE", "modifiedConfidentialityImpact": "HIGH", "modifiedIntegrityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedScope": "CHANGED", "modifiedUserInteraction": "REQUIRED", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalScore": 6.3, "temporalSeverity": "MEDIUM"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T17:52:58.091952Z", "id": "CVE-2026-34626", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:53:05.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34626", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T17:52:58.091952Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T17:53:00.829Z"}}], "cna": {"title": "Acrobat Reader | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)", "source": {"discovery": "EXTERNAL"}, "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "modifiedScope": "CHANGED", "temporalScore": 6.3, "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "remediationLevel": "NOT_DEFINED", "reportConfidence": "NOT_DEFINED", "temporalSeverity": "MEDIUM", "availabilityImpact": "NONE", "environmentalScore": 6.3, "privilegesRequired": "NONE", "exploitCodeMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "LOCAL", "confidentialityImpact": "HIGH", "environmentalSeverity": "MEDIUM", "availabilityRequirement": "NOT_DEFINED", "modifiedIntegrityImpact": "NONE", "modifiedUserInteraction": "REQUIRED", "modifiedAttackComplexity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAvailabilityImpact": "NONE", "modifiedPrivilegesRequired": "NONE", "modifiedConfidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Adobe", "product": "Acrobat Reader", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "26.001.21411"}], "defaultStatus": "affected"}], "datePublic": "2026-04-14T17:00:00.000Z", "references": [{"url": "https://helpx.adobe.com/security/products/acrobat/apsb26-44.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.", "supportingMedia": [{"type": "text/html", "value": "<p>Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') (CWE-1321)"}]}], "providerMetadata": {"orgId": "078d4453-3bcd-4900-85e6-15281da43538", "shortName": "adobe", "dateUpdated": "2026-04-14T16:26:46.825Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34626", "state": "PUBLISHED", "dateUpdated": "2026-04-14T17:53:05.039Z", "dateReserved": "2026-03-30T17:30:36.490Z", "assignerOrgId": "078d4453-3bcd-4900-85e6-15281da43538", "datePublished": "2026-04-14T16:18:04.679Z", "assignerShortName": "adobe"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:adobe:acrobat:*:*:*:*:classic:*:*:*", "matchCriteriaId": "7E334D1F-0A7E-45F0-AE1C-AE3F38647E17", "versionEndExcluding": "24.001.30365", "versionStartIncluding": "24.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:acrobat_dc:*:*:*:*:continuous:*:*:*", "matchCriteriaId": "131CFDA9-0739-4C00-9B10-0F20C3979B22", "versionEndExcluding": "26.001.21431", "versionStartIncluding": "15.008.20082", "vulnerable": true}, {"criteria": "cpe:2.3:a:adobe:acrobat_reader_dc:*:*:*:*:continuous:*:*:*", "matchCriteriaId": "EB130846-ED6A-4C3E-8984-685EEA001AAF", "versionEndExcluding": "26.001.21431", "versionStartIncluding": "15.008.20082", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E", "vulnerable": false}, {"criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Acrobat Reader versions 26.001.21411, 24.001.30360, 24.001.30362 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary file system read in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "id": "CVE-2026-34626", "lastModified": "2026-04-16T14:14:59.690", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "psirt@adobe.com", "type": "Secondary"}]}, "published": "2026-04-14T17:16:51.283", "references": [{"source": "psirt@adobe.com", "tags": ["Vendor Advisory"], "url": "https://helpx.adobe.com/security/products/acrobat/apsb26-44.html"}], "sourceIdentifier": "psirt@adobe.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "psirt@adobe.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,26.001.21411]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Acrobat Reader", "source": "cna", "vendor": "Adobe"}, "product": "acrobat_reader", "vendor": "adobe"}], "analysis": {"en": {"generated_at": "2026-04-14T17:52:29.449251+00:00", "value": {"mitigation_remediation": ["Update Adobe Acrobat Reader to the latest version that supersedes 26.001.21411, 24.001.30360, and 24.001.30362.", "Configure Adobe Reader to require user confirmation before executing scripts or opening embedded objects.", "Avoid opening PDF files from unknown or untrusted sources."], "summary": {"action": "Patch", "impact": "Arbitrary local file read"}, "threat_synthesis": {"affected_systems": "Adobe Acrobat Reader 26.001.21411, 24.001.30360, and 24.001.30362, along with all earlier releases, are impacted. This affects all users who have not upgraded past these revisions. The vulnerability applies to any installation of Acrobat Reader, though the operating system is not specified in the advisory.", "description_and_impact": "The flaw is an improper control over object prototype attributes, a form of prototype pollution. When a malicious PDF file is opened, an attacker can trigger code that reads an arbitrary file from the victim\u2019s local file system. The weakness is classified as CWE\u20111321 and could expose sensitive data. The impact is limited to file read under the current user\u2019s privileges, but it can still compromise confidentiality.", "risk_and_exploitability": "The CVSS base score of 6.3 indicates a moderate risk level. The EPSS score is not available. The issue is not listed in the CISA KEV catalog, suggesting no widespread exploitation yet. Exploitation requires user interaction to open a crafted PDF file, meaning the threat is user\u2011dependent. Because the attack is confined to local file read, the overall risk is moderate, but any environment handling PDF documents should consider patching promptly."}}}}, "created": "2026-04-15T14:31:56.931626+00:00", "updated": "2026-04-15T15:30:06.809109+00:00", "vendors": ["adobe", "adobe$PRODUCT$acrobat_reader"]}