External risk intelligence

Adobe Campaign Classic Incorrect Authorization Code Execution

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-48303

Adobe Campaign Classic is affected by an incorrect authorization vulnerability enabling arbitrary code execution without user interaction. Attackers can exploit this over the network, potentially leading to a broad compromise of the user's context. This issue is critical as it bypasses security layers and can be trigge

4Halo Surface Signal

Adobe Campaign

before 7.4.37.4.3

External exposure likelihood

Halo Surface Signal score for CVE-2026-48303

Adobe Campaign Classic is an enterprise marketing automation platform frequently deployed as an internet-facing web application or API service to manage customer engagement, campaigns, and external web-based interactions.

PCI scan relevance

PCI Relevance for CVE-2026-48303

Yes

CVE-2026-48303 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for arbitrary code execution, which is a type of flaw that would likely cause a PCI ASV scan to fail, requiring remediation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in Adobe Campaign Classic that, if exploited, could allow an unauthorized actor to execute arbitrary code without any user interaction. The issue impacts the authorization controls within the software, potentially leading to a broad compromise of the current user's context. This type of vulnerability is significant because it bypasses typical security layers and can be triggered remotely, making it a primary concern for systems exposed to the internet.

Authorization flaw allows unauthorized code execution.
Significant due to remote exploitation and broad impact.
Confirm relevance and potential exposure to affected systems.

Attack Path

How an attacker could exploit the issue

An attacker could leverage this flaw by reaching an exposed Adobe Campaign Classic component over the network. This vulnerability in authorization controls could allow an unauthenticated attacker to execute arbitrary code on the system, potentially leading to a complete compromise.

Entry condition: Network access required.
Trigger point: Vulnerable authorization mechanism.
Resulting risk: Arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Adobe Campaign Classic could allow an unauthenticated attacker to execute arbitrary code with the privileges of the current user. This could occur when the system is accessible over a network, without requiring any action from a user.

Arbitrary code execution.
Exploitation without user interaction.
Potential for full system compromise.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The real-world ownership for this vulnerability likely falls to the Adobe Campaign Classic application owners and the infrastructure or platform teams managing its deployment. The first practical step is to identify all instances of Adobe Campaign Classic within the environment, assess their exposure and business criticality, and then confirm the accountable owner for each instance to plan remediation.

Application owners and infrastructure teams.
Verify deployment reachability and criticality.
Plan remediation based on exposure.

Frequently asked questions

What is Adobe Campaign Classic?

Adobe Campaign Classic is an enterprise-grade marketing automation platform. Organizations use it to coordinate customer journeys, manage data-driven marketing campaigns, and facilitate multi-channel engagement. It often integrates with web services to interact with customers, acting as a central hub for handling complex marketing communications and database interactions across an enterprise environment.

How does CVE-2026-48303 allow unauthorized code execution?

This vulnerability is classified as Incorrect Authorization (CWE-863). Essentially, the software fails to properly verify if a user has permission to perform certain actions. Because of this oversight, an attacker can bypass security checks to run unauthorized commands on the server. The 'Incorrect Authorization' means the system grants access that should be restricted, allowing the attacker to execute code as if they were a legitimate user.

Does triggering this vulnerability require user interaction?

No, this vulnerability does not require any action from a legitimate user to succeed. The attacker only needs network access to the vulnerable system component to initiate the exploit. Because it targets the underlying authorization mechanism, the software processes the request automatically, and the bug is triggered purely through remote network communication without needing someone to click a link or log in.

Why is this CVE particularly relevant for internet-facing systems?

According to Halo Surface Signal, this software is frequently deployed as an internet-facing web application or API to support external interactions. Because this flaw is reachable over a network, systems exposed to the public internet are at a much higher risk of being targeted by unauthorized actors. Internal-only systems may have lower risk, but those directly accessible from the outside require immediate attention.

What should I do first to address this vulnerability?

Your first step is to create a comprehensive inventory of all Adobe Campaign Classic instances running in your environment. Once identified, evaluate which of these systems are accessible over the network and determine the business criticality of each instance. Coordinate with the application and infrastructure teams responsible for those specific deployments to verify their current patch status and plan for upcoming software updates.

References

helpx.adobe.com/security/products/campaign/apsb26-66.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.