[Looking for Charlie's main web site?]

Announcing ColdFusion updates released Jan 13 2026 - p1 security update

Posted At : January 14, 2026 12:21 AM | Posted By : Charlie Arehart
Related Categories: updates, security, cf2025, cf2023
Comments: (4)
An update for ColdFusion has been released, Jan 13 2026, for each of cf2025 (as its update 6) and cf2023 (as its update 18). (This is the first update since CF2021 has reached  its end of life as I blogged previously, so this is the first cf update NOT available for cf2021, which is something folks running that should beware.)

In brief, this update (for both versions) addresses a P1 (Priority 1, "Critical") security vulnerability, related to the Apache Tika java framework which Adobe embeds for certain processing with CF.

Before proceeding, it's of some concern to note that unlike recent CF security updates, Adobe does NOT report (in the APSB, linked to below) that they are, "not aware of any exploits in the wild for any of the issues addressed in these updates." That omission would seem to imply that they ARE aware of this vuln being exploited, which raises the urgency of getting it applied. (It also raises the concern all the more for those on CF2021 or earlier, for whom Adobe will no longer offers ANY updates, including security updates.)

In this post, I share the details about the update (from Adobe and from others). I also share additional info you may want to consider before (or after) doing the update.

For more, read on.

[....Continue Reading....]

Comments (4)
Comments
[Add Comment]
I managed to find the link to the Adobe Blog post about this update via cfblogs.org. Not sure why it's not visible from Adobe's blog website.

https://coldfusion.adobe.com/2026/01/now-live-coldfusion-2025-and-2023-january-security-updates/
# Posted By German | 1/14/26 10:10 AM
Thanks, German. I've reported to them that there are quirky problems with that portal/blog. Like you, I didn't find the post, so I presumed it was not there.

I'll revise my post now to add that, leaving these comments to explain to anyone interested in the curiosity.
# Posted By Charlie Arehart | 1/14/26 10:30 AM
I happened to have /cfusion/bin open when I was running the install, and it looks like the update deletes and recreates the felix-cache folder. Would you suggest deleting it again after the update is complete?
# Posted By Bruce Longee | 1/14/26 12:07 PM
Bruce, yes. While it's true that starting a few updates ago, Adobe changed it so that they DID delete the felix-cache after the update (and it's rebuilt on startup of cf), the problem is that's after the CORE update but BEFORE the package update which again takes place DURING that Cf startup.

To be clear, the update technotes were telling us to do that manual clearing of the felix-cache even AFTER the updates that started doing that "for us"...and people WERE indeed reporting that it fixed problems.

That's why I regard it simply as good hygiene. It would NOT be the first thing that the technotes failed carry forward from one update technote to the next. I'll be happy when it's proven that it's no longer ever necessary.
# Posted By Charlie Arehart | 1/14/26 12:51 PM
[Add Comment]
Copyright ©2026 Charlie Arehart
Carehart Logo
BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the HTML in this page?)

Managed Hosting Services provided by
Managed Dedicated Hosting