External risk intelligence

Adobe Campaign Classic SSRF Vulnerability Allows Code Execution

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-47938

A Server-Side Request Forgery vulnerability in Adobe Campaign Classic could allow unauthorized code execution without user interaction, changing the scope of impact. This issue is reachable externally and could lead to arbitrary code execution. Security-aware leaders should assess their Adobe Campaign Classic instances

4Halo Surface Signal

Server-Side Request Forgery

External exposure likelihood

Halo Surface Signal score for CVE-2026-47938

Adobe Campaign Classic is an enterprise marketing and campaign management platform often deployed as an internet-facing web application to facilitate external communication, campaign tracking, and API integrations, making its components frequently reachable from the public internet.

PCI scan relevance

PCI Relevance for CVE-2026-47938

Yes

CVE-2026-47938 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Adobe Campaign Classic could allow an attacker to execute arbitrary code. It is considered PCI scan-relevant due to its high severity and potential impact.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Adobe Campaign Classic could allow unauthorized code execution without any user interaction, potentially impacting the integrity and availability of the system. This Server-Side Request Forgery issue has a broad scope, meaning its effects could extend beyond the immediate component.

A security flaw allows unauthorized code execution.
It affects marketing and campaign management systems.
Confirm relevance and assess exposure to this risk.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to an exposed Adobe Campaign Classic instance. Because user interaction is not required and the vulnerability can change the scope, an attacker might be able to trick the server into making requests on their behalf. This could potentially lead to arbitrary code execution with the privileges of the affected user.

No authentication or user interaction needed.
Server processes malicious requests.
Arbitrary code execution possible.

Live Threat

Current exploitation, exposure, and threat context

A Server-Side Request Forgery vulnerability in Adobe Campaign Classic could allow an attacker to execute arbitrary code within the application's environment. This occurs when the software makes requests to external resources based on attacker-controlled input, potentially leading to unauthorized actions.

Server-side code execution.
Maliciously crafted network requests.
Compromise of the application and its data.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This Server-Side Request Forgery (SSRF) vulnerability in Adobe Campaign Classic (ACC) likely impacts customers using the platform for external-facing operations, potentially exposing them to arbitrary code execution. Infrastructure and platform teams are typically responsible for managing Adobe Campaign Classic deployments. The first critical step is to identify all ACC instances, assess their internet reachability and business criticality, and confirm ownership to prioritize remediation efforts.

Determine responsible ownership.
Verify instance exposure and criticality.
Plan risk-based remediation.

Frequently asked questions

What is Adobe Campaign Classic?

Adobe Campaign Classic is an enterprise-grade platform designed for managing marketing campaigns and customer communications. Organizations use it to coordinate email, mobile, and web marketing activities, track customer interactions, and handle data-driven integrations. It often functions as a central hub for external marketing workflows, meaning it manages data and connections across various digital channels to execute large-scale outreach programs.

What does Server-Side Request Forgery mean for CVE-2026-47938?

CVE-2026-47938 is classified as CWE-918, or Server-Side Request Forgery (SSRF). This weakness allows an attacker to manipulate the server into making unintended network requests. Instead of the application only communicating with trusted internal services or authorized external sites, an attacker can force the server to act as a proxy. In this specific case, that manipulation can escalate into the execution of arbitrary code, granting the attacker control within the application's environment.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by sending specially crafted network requests to a vulnerable instance of Adobe Campaign Classic. The vulnerability does not require the attacker to have an account, nor does it require any action from a legitimate user. It is important to note that the vulnerability is specifically triggered by these malicious inputs; standard, legitimate marketing traffic that follows expected application logic does not trigger the underlying SSRF condition.

Why is this CVE high-priority for my organization?

According to Halo Surface Signal, Adobe Campaign Classic is frequently deployed as an internet-facing application to support external marketing and API integrations. Because it is often reachable from the public internet to facilitate these global communications, it is highly visible to external actors. If your instance is accessible from the internet, the barrier for an attacker to reach and exploit this service is significantly lower than for isolated, internal-only components.

How should I respond to CVE-2026-47938?

Your first step is to perform an inventory of all Adobe Campaign Classic instances within your environment. Identify which systems are currently reachable from the public internet and determine their business criticality. Once you have a clear map of your deployment, confirm ownership of these assets. Use this information to coordinate with your infrastructure and platform teams to prioritize remediation efforts based on the exposure and importance of each identified instance.

References

helpx.adobe.com/security/products/campaign/apsb26-66.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.