CVE-2026-34621

Overview

Adobe Acrobat Reader contains a prototype pollution vulnerability that allows attackers to execute arbitrary code when a victim opens a malicious PDF file. The vulnerability stems from improperly controlled modification of object prototype attributes, which can be exploited to gain code execution in the context of the current user. The vulnerability was disclosed on April 11, 2026. CISA has identified CVE-2026-34621 as being exploited but is not currently known to be used in ransomware campaigns.

Technical details

A prototype pollution vulnerability exists in Adobe Acrobat Reader where the application improperly handles object prototype attributes. An attacker can craft a malicious PDF file that, when opened by a victim, modifies JavaScript prototype objects. This allows the attacker to inject malicious code that executes within the reader's JavaScript execution context, leading to arbitrary code execution with the privileges of the user running Acrobat Reader.

The vulnerability is classified as CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')) andCWE-94 (Improper Control of Generation of Code ('Code Injection')) .

The vulnerability has received a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating its high nature.

Impact

An attacker can execute arbitrary code with the same privileges as the user running Acrobat Reader. This could lead to complete system compromise, including theft of sensitive documents, installation of malware, credential theft, and lateral movement within a network. Given that Acrobat Reader is commonly used to open untrusted PDF files from the internet, this vulnerability poses a significant risk.

Mitigation and workarounds

Update Adobe Acrobat Reader to the latest patched version. Users can check for updates through Help > Check for Updates or visit Adobe's website for direct download. The following versions include the necessary fixes: Acrobat Reader 24.001.30365 or later (for 24.x branch), Acrobat Reader 26.001.21380 or later (for 26.x branch).

As temporary workarounds: disable javascript execution in acrobat reader (edit > preferences > javascript > enable acrobat javascript) to prevent prototype pollution-based code execution. this mitigates the attack but may disable legitimate pdf features.; only open pdf files from trusted sources. be cautious of unsolicited pdf attachments or pdfs from unknown websites., and run acrobat reader in a sandboxed or isolated environment or virtual machine to limit the impact of code execution..

CISA's recommendation: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Additional resources

Source: This report was generated using AI

Vulnerability Management

Attack Surface Management

Cybersecurity Asset Management

AI Security Automation

Credentials Leaks Monitoring

Cloud Security

External Scanning

Internal Scanning

Attack Surface Monitoring

DAST

Website Security

Risk Based Prioritization

API Security

Emerging Threat Detection

CSPM

Compliance

Cyber Hygiene Reporting

Integrations

Compare Vullify

Qualys Alternative

Tenable Alternative

Rapid7 Alternative

Intruder Alternative

Detectify Alternative

Acunetix Alternative

Invicti Alternative

Pentest-Tools Alternative

Security

Blog

Cyber Glossary

Vulnerability Database

Customers

Help Center

Customer Stories

Developer Hub

About

Press

Partners

Careers

Contact

Book a Demo

Acrobat and Reader vulnerability analysis and mitigation

Overview

Technical details

Impact

Mitigation and workarounds

Additional resources

Related Adobe Vulnerabilities

Platform

Solutions

Resources

Company