Announcing ColdFusion updates released Apr 14 2026 - p1 security update - thoughts and resources

Posted At : April 14, 2026 10:14 PM | Posted By : Charlie Arehart
Related Categories: updates, security, cf2025, cf2023
Comments: (6)

An update for ColdFusion has been released, Apr 14 2026, for each of cf2025 (as its update 7) and cf2023 (as its update 19). In brief, this update is classed by Adobe as a P1 (Priority 1, "Critical") security update. Then again, the security bulletin (link below) indicates as of today that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."

(This is the second update since CF2021 has reached its end of life as I blogged previously, which is something folks running that should beware. You are now QUITE exposed to things fixed in these two updates, for which there is no fix for you.)

In this post, I share the details about the update (from Adobe and from others). I also share additional info you may want to consider before (or after) doing the update.

For more, read on.

[....Continue Reading....]

Comments (6)

Comments

[Add Comment]

the installer now mentions that it is clearing the felix-cache automatically. which is good. I checked and it was cleared.

# Posted By Michael | 4/15/26 6:51 PM

Michael, FWIW, I do acknowledge and address that in the section above on the topic:
https://www.carehart.org/blog/2026/4/14/coldfusion_updates_released_apr_14_2026#felix

where I conclude:

"While it's true that updates in early 2025 started doing a delete of the felix-cache folder as a FIRST step in the update process, that doesn't help if the update did update packages, in which case it's wise to delete it again AFTER the update, as discussed here. Again, this is just a recommended practice from my experience helping with hundreds of CF updates, not something Adobe mandates.)"

# Posted By Charlie Arehart | 4/15/26 9:10 PM

Charlie, why is it that every time I update to a new CF Update, I have to re-install packages? For example, after I run the update via CF Admin:

The mail package is not installed.

You can install package through CLI package manager (D:/ColdFusion2023/cfusion/bin/cfpm.bat) by running the command : install mail.

And then when I go to install mail, I get this:

cfpm>install mail
The packages repository https://www.adobe.com/go/cf2023_packages is not accessible. You can only load the packages that are available locally in the D:\ColdFusion2023\bundles directory.
The following packages will be installed : mail:2023.0.11.330706
mail(2023.0.11.330706) package is already installed.

# Posted By Sung | 5/5/26 10:56 AM

FYI, I rebooted the server and mail came back. Is reboot a necessity after running an Update?

# Posted By Sung | 5/5/26 11:11 AM

Sorry for the repeated comments, but with my FIT server, rebooting did not bring mail back. I just don't understand why these updates are so difficult to install. :(

# Posted By Sung | 5/5/26 11:25 AM

Sung, the CF updates are in fact NOT "difficult to install" for everyone. Indeed, for most folks the effort is trivial.

Those who suffer problems have specific challenges, often unique to them.

And I have never heard of the scenario you describe, where a restart after the update resolves a seeming package install problem. To be clear, the update mechanism is SUPPOSED to restart cf itself. And I always tell people to check the coldfusion-out.log after the update to observe the messages after that restart, to ensure all went well.

I can offer this: we can resolve this problem in a shared desktop session. If we don't, you won't pay for the time (which I track in as little as 15 minute increments).

Is solving this problem important enough for you to do that? If so, find and grab a slot (even today) in my online calendar. For more on my rates, approach, satisfaction guarantee, that online calendar, email, phone, and more, see the consulting page at carehart.org.

# Posted By Charlie Arehart | 5/5/26 1:59 PM

[Add Comment]

Home

View all posts

Enter your email address to subscribe to this blog.

Recent Comments

Announcing ColdFusion updates released Apr 14 2026 - p1 security update - thoughts and resources
Charlie Arehart said: Sung, the CF updates are in fact NOT "difficult to install" for everyone. Indeed, for most ... [more]

Announcing ColdFusion updates released Apr 14 2026 - p1 security update - thoughts and resources
Sung said: Sorry for the repeated comments, but with my FIT server, rebooting did not bring mail back. I just ... [more]

Announcing ColdFusion updates released Apr 14 2026 - p1 security update - thoughts and resources
Sung said: FYI, I rebooted the server and mail came back. Is reboot a necessity after running an Update?

Announcing ColdFusion updates released Apr 14 2026 - p1 security update - thoughts and resources
Sung said: Charlie, why is it that every time I update to a new CF Update, I have to re-install packages? ... [more]

Announcing updates of Apr 21, 2026 for Java 26, 25, 21, 17, 11, and 8 - thoughts and resources
Charlie Arehart said: Thanks for the kind regards. As for your issue, it's helpful that you've confirmed the pro ... [more]

Calendar

Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Entries by year

2026

April (2)
January (2)

2025 (19)
2024 (28)
2023 (33)
2022 (20)
2021 (18)
2020 (17)
2019 (23)
2018 (15)
2017 (14)
2016 (17)
2015 (10)
2014 (19)
2013 (18)
2012 (32)
2011 (21)
2010 (30)
2009 (52)
2008 (95)
2007 (94)
2006 (94)

RSS

Contact

About

A veteran server troubleshooter who's worked in enterprise IT for more than three decades, Charlie Arehart (@carehart) is a longtime contributor to the community who as an independent consultant provides remote, short-term, and even on-demand troubleshooting/tuning assistance for organizations of all sizes and experience levels (carehart.org/consulting).

You can reach Charlie by email at charlie (at) carehart.org, or you can follow him on twitter/X, @carehart. This blog is one resource among several within https://www.carehart.org/, where you can also find out more about him.

In fact, if you'd like his help, he's available for consulting for as little as 15 minutes.

Appreciate any of the resources I've offered?

Archives By Subject

admin (109) [RSS]
apache (11) [RSS]
API Manager (4) [RSS]
basics (8) [RSS]
blogging (14) [RSS]
boxlang (1) [RSS]
bug reports (1) [RSS]
business (2) [RSS]
carehart classics (26) [RSS]
CF Server Monitor (26) [RSS]
cf10 (60) [RSS]
cf11 (46) [RSS]
cf2016 (61) [RSS]
CF2016 Intro Series (9) [RSS]
cf2018 (60) [RSS]
cf2021 (68) [RSS]
cf2023 (49) [RSS]
cf2025 (14) [RSS]
cf411 series (10) [RSS]
cf8 (52) [RSS]
cf9 (34) [RSS]
cf911 (54) [RSS]
CFBuilder (20) [RSS]
CFFundamentals (6) [RSS]
cfml (35) [RSS]
cfmx (8) [RSS]
cfmythbusters (7) [RSS]
commandbox (4) [RSS]
community (30) [RSS]
connector (8) [RSS]
contributions (13) [RSS]
debugging (14) [RSS]
derby (5) [RSS]
docker (8) [RSS]
editors (10) [RSS]
evangelism (5) [RSS]
fusionreactor (63) [RSS]
general (59) [RSS]
hidden gems (12) [RSS]
homesite+ (3) [RSS]
hotfix (21) [RSS]
IIS (13) [RSS]
installation (9) [RSS]
introduction (2) [RSS]
java (51) [RSS]
javascript (2) [RSS]
jdbc (10) [RSS]
keyboard shortcuts (5) [RSS]
licensing (8) [RSS]
logs (8) [RSS]
lucee (21) [RSS]
migrating (2) [RSS]
monitoring (42) [RSS]
news (22) [RSS]
orm (2) [RSS]
performance (15) [RSS]
personal (3) [RSS]
PMT (6) [RSS]
podcasts (5) [RSS]
presentations (34) [RSS]
railo (10) [RSS]
redis (2) [RSS]
resource lists (26) [RSS]
security (36) [RSS]
seefusion (11) [RSS]
sql server (14) [RSS]
tips (22) [RSS]
tomcat (9) [RSS]
tools (44) [RSS]
training (8) [RSS]
troubleshooting (76) [RSS]
tuning (14) [RSS]
ugtv (11) [RSS]
updates (76) [RSS]
web services (8) [RSS]
webserver (5) [RSS]
writing (20) [RSS]
zeus (3) [RSS]

Upcoming/Recent Conference Appearances

Adobe CF Summit
Jun 2026

Into The Box
May 2026

CFCamp
May 2025

Adobe CF Summit East
Mar 2025

BlogCFC was created by Raymond Camden. This blog is running version 5.005.
(Want to validate the HTML in this page?)

Managed Hosting Services provided by