Announcing ColdFusion updates of Jun 30 2026 - p1 security update - thoughts and resources
In brief, this update is classed by Adobe as a P1 (Priority 1, "Critical") security update. Then again, the security bulletin (link below) indicates as of today that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates."
[Update within a half hour of this original post: I decided to add a bit more clarification about some changed behavior in the update, rather than just point to the technote for it. See first this next paragraph and then the "what's changed" section below. If you're seeing this post for the first time after this tweak, do just keep reading after this paragraph. :-)]
See below for some breaking change impacts of these security changes on cfexchange and (separately) some aspects of xml processing. There's also a change for CF2025 related to MCP client operations, regarding authorization, also covered below.
To be clear, there are no other bug fixes or known issues indicated for this update.
Note also that this update is indeed different from the other update for CF2025 and 2023 earlier this month, which I discussed in a post that day, June 9.
Like with each CF update, I share the details about the update (from Adobe and from others) as well as additional info you may want to consider before (or after) doing the update.
For more, read on.
(And FWIW I'll note that I have installed the update for each of the releases on multiple machines, starting from different update levels, and on multiple OS's, and I can report that it went well with regard to performing the update itself. As for whether your apps will be affected by the update, or others you may be skipping, I can't speak to that other than to offer the info about the update itself, below.)
Following are the topics discussed in this post:
- Finding the update (and more about it)
- What are the security issues addressed in the update?
- What's changed in the update?
- Packages updated in this update
- Additional info to consider before/after doing CF updates
- On getting help with the update(s)
I appreciate that some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out earlier today (the day of the update's release). Beside testing on multiple machines, I also take time to consider feedback shared in the community, or things I may learn as I offer help to them and my own clients. (So far, again, I'm not aware of any issues with the update itself. That said, sometimes issues may arise due to caching--with respect to "seeing" or downloading the update. Only time will tell, but such problems inevitably do pass.)
Finding the update (and more about it)
You should find news of the new update in your CF Admin upon login (assuming "check for updates" is enabled in its Package Manager "Settings" tab, or if you click the "check for updates" button under the "Core Server" section of the Package Manager page). If you don't find it there, even today, again give it time as there may be caching issue.
Otherwise, Adobe has announced the update via their CF Portal, specifically these:
(Curiously, there is still no post for the update in the CF Community Forums, where often there tends to be more "discussion" from community members.)
And each such announcement points to the very important update technote available for each version:
BTW, note that the URL for these technotes has changed: I find currently that trying to use the older "helpx" URLs for the previous updates (such as for CF2023 update 19) and incrementing the update number in a 404 error. The docs now use "guides.adobe.com" rather than the "helpx.adobe.com".
What are the security issues addressed in the update?
As I indicated at the outset, this update is focused solely on security. Quoting from the update technotes, the update "resolves critical vulnerabilities that could lead to arbitrary code execution, privilege escalation, and security feature bypass.".
As for the CF aspects of the security vulnerabilities, see both the update technotes above and the Adobe Product Security Bulletin (or APSB) for this update, which indicates how it's indeed a Priority 1 "Critical" update, with the various CVEs listed in the bulletin range from having a CVSS score from 6.5 to 10.0 out of 10 (with 6 scoring 10.0). The bulletin clarifies the specific NIST CVEs addressed.
You can read the bulletin for the boilerplate identification of the issues, and the CVE documents. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers.
What's changed in the update?
This update, like some in the past, does introduce some breaking changes (where Adobe is sacrificing compatibility for the sake of security), which will impact some (but not all) CF apps.
Changes regarding cfexchange and xml processing, in CF2025 and CF2023
The changes in this update affect:
- those using cfexchange (and related tags), including app-level control of the changed behavior as well as available jvm args to revert to the previous behavior
- those using the xmlsearch() and xmltransform() functions, including jvm arguments that would allow you to re-enable functionality disabled by this update
As for jvm args (aka "JVM flags"), if used these are settable in the CF Admin "Java and JVM" page or CF's jvm.config file). The new/updates flags are:
- -Dcoldfusion.attachment.allowblockedextensions
- -Dcoldfusion.xml.saxon.allowResultDocumen
- -Dcoldfusion.xml.saxon.allowUnparsedText
- -Dcoldfusion.xml.saxon.allowDocFunction
- -Dcoldfusion.xml.saxon.allowEnvironmentVariable
For more on each of these, see both the update release notes as well as See the link offered in the update technote to a page for each of CF2025 and CF2023/2021 with more details on these.
Note there is also an available document listing all the JVM args as added per different updates to CF2025 and CF2023:
Changes regarding an aspect of CF2025's AI functionality, MCP client authorization
Note finally that the CF2025 update has changes related to the optional new AI functionality (available only with CF2025), including a change regarding MCP Client operations, where STDIO MCP servers now support three levels of command authorization.
Packages updated in this update
As is the case with many of the CF updates, this one does include updates to a few of its packages. See the table at the bottom of each technote indicating what packages were updated (which differs slightly between the two versions).
(As I noted at the outset, this update incudes no other changes, bug fixes, or known issues, as documented in the update technotes at the time of this writing.)
Additional info to consider before/after doing CF updates
Finally, just as with ANY CF update, there are a few issues you should keep in mind. Some have to do with things you should consider BEFORE doing any CF update, while others relate to considerations AFTER the update is applied.
I used to cover them within each of these posts, but I have tried to avoid repeating them. I'll say again that I plan to create a new post pulling the points out to stand alone (as like a best practices for CF updates). But until then, look first at the closing sections of my Apr 2026 update post:
- Things to beware BEFORE doing any CF update
- Changes, as a result of any CF updates you may be skipping
- Beware also that if you'd modified the pathfilter.json file introduced in the May 2025 CF update, sadly that file will be overwritten
- How can you assess if the update went well?
- 1) Check the update log, both for success applying the update
- 2) Check that same update log, for success in the update downloading any updated package
- 3) Check the coldfusion-out.log for success during UPDATING of any packages
- A few other topics generic to recent CF updates, which you may want to consider
- You should strongly consider "clearing the felix-cache"
- Other update topics to consider
And then there were still other generic update topics which I'd covered in still previous posts, the last one in my post on the Oct 2024 updates. After that I started having my subsequent posts point people instead to the bottom of that post for these equally important topics:
- What to consider, with regard to some previous CF updates (possible breaking changes)
- As with all CF updates, possible need to upgrade web server connector
- Something to consider, if you're updating CF2023 from its update 4, or earlier
- and more
On getting help with the update(s)
Finally, as for getting more help with the update, you have a few options.
First, you can reach out to Adobe via the post(s) announcing the update which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected].
Next, you can also reach out to the wider CF community for help or to hear from others. Note that I offer links to several of the online CF communities here.
Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed





There are no comments for this entry.
[Add Comment]