Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
In brief, this update is classed by Adobe as a P1 (Priority 1, "Critical") security update. Then again, the security bulletin (link below) indicates as of today that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."
[Update within a half hour of this original post: I decided to add a bit more clarification about some changed behavior in the update, rather than just point to the technote for it. See first this next paragraph and then the "what's changed" section below. If you're seeing this post for the first time after this tweak, do just keep reading after this paragraph. :-)]
See below for some breaking change impacts of these security changes on cfexchange and (separately) some aspects of xml processing. There's also a change for CF2025 related to MCP client operations, regarding authorization, also covered below.
To be clear, there are no other bug fixes or known issues indicated for this update.
Note also that this update is indeed different from the other update for CF2025 and 2023 earlier this month, which I discussed in a post that day, June 9.
Like with each CF update, I share the details about the update (from Adobe and from others) as well as additional info you may want to consider before (or after) doing the update.
For more, read on.




