Announcing ColdFusion updates of Jul 14 2026 - p1 security update - thoughts and resources
In brief, this update is another classed by Adobe as a P1 (Priority 1, "Critical") security update. Specifically, the Adobe produce security bulletin (linked to below) indicates that the update addresses "vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass". And while it also says that, "Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates", note that it's not uncommon that the vulns will immediately be being reverse-engineered and exploited by bad guys--or good guys trying to warn folks.
As such, it's always important to apply CF updates, and still more important for CF security updates, but then especially if they are classed as "critical" like this (though it's also true that some vulns are in features that may be disabled by default, or disabled for you, in which case their urgency is diminished).
Finally, as happens with about 30% of CF security updates, this one has a potential breaking change (which could affect some apps but not all), and there is a new jvm flags/args which would allow you to trade back that improved security for compatibility. You should consider such changes carefully before just applying the update in prod (as some do) or relying on only light testing of a few pages. The same care should be taken before just blithely sticking the jvm args in for compatibility sake.
Forewarned is forearmed. Read on for more, including many other observations I offer about what else has changed with this update, and some concluding thoughts on best practices regarding any CF update.
(If I update this post since its original release, I will track those changes at the bottom of this post.)
Quick overview
Besides the key points shared above, see below for other key aspects of the update, including first the breaking change which impacts on CF query processing (which could affect however you query databases, whether cfquery, queryexecute, cfstoredproc, etc., if you somehow use invalid "table identifiers"--which are now no longer allowed), along with a jvm arg to revert that changed behavior.
There's also a new CF add-on installer (for those who use that, as opposed to the add-on service implemented by the CF installer itself). And there's the first update made available for the CF PMT (Performance Monitoring Toolkit). if you use that tool (which was introduced in CF2018). Again, more on these below.
Beyond that there are no bug fixes or known issues indicated for this update, at this writing. (Though see below for at least one CF2025 bug fixed that I can confirm.)
And yes, this is another CF update in the month of July 2026, which is also in addition to the one released June 9. That's indeed 3 updates in barely more than a month. I discuss each in a post of their own.
Like with each CF update, I share below the details about the update (from Adobe and from others) as well as additional info you may want to consider before (or after) doing the update.
And FWIW I'll note that I have installed the update for each of the releases on multiple machines, starting from different update levels, and on multiple OS's, and I can report that it went well with regard to performing the update itself. As for whether your apps will be affected by the update, or others you may be skipping, I can't speak to that other than to offer the info about the update itself, below.
Finally, sometimes issues may arise due to caching--with respect to "seeing" or downloading the update. They may be at Adobe, or at CDNs they use, or it may be due to something in your own network. Only time will tell if it hits some, but such problems inevitably do pass.
Details on the update, applying it, and more
Following are the topics discussed in this post:
- Finding the update (and more about it)
- What are the security issues addressed in the update?
- What's changed in the update?
- Other matters about update (packages, connectors, bugs, known issues)
- Additional info to consider before/after doing CF updates
- On getting help with the update(s)
I appreciate that some people look for my posts as a go-to resource about the update, and some may wish I'd gotten this note out yesterday (the day of the update's release). Beside testing on multiple machines, I also take time to consider feedback shared in the community, or things I may learn as I offer help to them and my own clients. As for being a day late, it's that beside the above, I also had to take 5 hours out of my day for travel last night to/from the airport to pick up my wife who had been away. I love rural life, but some things are far away.:-)
Finding the update (and more about it)
As always, there are several ways you could find out about the update.
First, you should find news of the new update in your CF Admin upon login (assuming "check for updates" is enabled in its Package Manager "Settings" tab, or if you click the "check for updates" button under the "Core Server" section of the Package Manager page). If you don't find it there, even today, again give it time as again there may be caching issue.
Next, Adobe has announced the update via their CF Community Forums and CF Portal, specifically these:
As I write, there are no discussions of any issues so far. (FWIW, there tends to be more "discussion" from community members in the forum announcement than the blog post, though not always.) Note also that sometimes the community may discuss issues with the update in such places as the CFML Slack, the Facebook and Linked CF programmers group, etc. I list links to those in my cf411 site of community help resources.
And each such Adobe announcement about an update points to the very important update technote available for each version, in this case:
- ColdFusion (2025 release) Update 11
- ColdFusion (2023 release) Update 22
BTW, note that the URL for these technotes has changed mid-year. The docs now use "guides.adobe.com" rather than the "helpx.adobe.com".
Finally, as forgetting notified by email about CF updates, see the discussion below, How to get notified of updates by email, among the closing points about "additional info" on updates.
What are the security issues addressed in the update?
As I indicated at the outset, this update is focused primarily on security. Quoting from the update technotes, the update targets ""vulnerabilities that could lead to arbitrary code execution, privilege escalation, arbitrary file system read, and security feature bypass".As for the CF aspects of the security vulnerabilities, see both the update technotes above and the Adobe Product Security Bulletin (or APSB) for this update, which indicates how it's indeed a Priority 1 "Critical" update, with the 13 issues listed in the bulletin having a range of CVSS scores from 2.7 to 9.9 out of 10 (with 8 scoring 9 or above). The bulletin also clarifies the specific NIST CVEs addressed.
You can read the bulletin for the boilerplate identification of the issues, and the CVE documents. Sadly, as is nearly always the case, there is very little detail beyond that about the vulns, and certainly no information to help you "detect if you're vulnerable". The expectation is that "you are" (vulnerable) and therefore "you should apply the update" in order to get the protection it offers. And as I noted above, even if you may not think you are, bad guys may be studying/reverse-engineering the fixes to determine how non-updated CF instances might be compromised.
What's changed in the update?
As noted at the outset, there is still more about the security aspects of this update which, like about 30% of recent CF security updates, has introduced some breaking changes (where Adobe is sacrificing compatibility for the sake of security), which will impact some (but not all) CF apps.
No longer allowing "Unsafe Table Identifiers" in queries
This change affects query processing (cfquery and other tags/statements) where the SQL you send to your db might have what are called "Unsafe Table Identifiers". Sadly, the update technote doesn't indicate much about this. Indeed, it points us to another page (about what jvm args each update supports--more in a moment), where there are a couple of paragraphs worth of what little explanation is offered:
"A backward compatibility flag introduced to preserve the legacy behavior of table identifier handling. By default, this flag is false, which enables the newer identifier validation logic.
This is discussing the jvm arg (aka "JVM flag") which can revert this behavior, if desired. If used, those are settable in the CF Admin "Java and JVM" page or CF's jvm.config file). The new/updates flag is:
- -Dcoldfusion.sql.allowUnsafeTableIdentifiers (which defaults now to false)
Here's hoping that in time Adobe or someone else will clarify what these invalid "unsafe table identifiers" were, in case people may want to search their code for some (but I realize sometimes such vulns stem from the ability to create quite wide-ranging special characters and character entities that can be hard to "look for".)
As for the available document listing all the JVM args, as added per different updates to CF2025 and CF2023, those are at:
Updated add-on installers
Note that the CF update technote also indicates how there are new "CF add-on service installers" for each of CF2025 and 2023, available as always at the CF downloads page. (This downloads page offers things RELATED to CF. And while it offers the CF "zip" install download it does NOT offer the full CF installer--and that zip is NOT just a zipped up version of the full installer. It's a different animal.)
This CF add-ons installer is something only some folks use/need, if they somehow want to install the add-on service separately from the offer within the CF full installer which can implement it.
The CF update technote page gives no explanation of what if anything has changed, but I have compared the new ones to the original ones and these new ones are different. Suffice it to say they have implemented security-related changes into the add-on services as implemented in this installer, perhaps bringing it up to speed with recent CF updates, that only updated the jetty folder within CF's cfusion folder. I will not endeavor now to investigate or detail what ways things ARE different. Perhaps Adobe will clarify at some point.
Performance Monitoring Toolset updates
Note that PMT got its first update, for both CF2025 and 2023. Is a security update only. See some discussion in the same apsb as above. See also respective technote for each, including how to apply the update and some known issues in applying it (especially a need for Windows users to stop the PMT datastore first):
Again, there's no indicated change in the PMT beyond this seeming security update. Only time will tell if anyone or Adobe identifies other changes.
Configuration note: custom scripts directory paths
Finally, the update technotes also offer now a new section which is not about anything "new" with this update, but is simply Adobe clarifying something which has long been true, but not well-documented. For some reason they decided to offer this as documentation here. (It's unclear if it will be repeated on each update or not.)
The info (in each update technote for CF2025 and 2023) discusses an aspect of changing the "default script src" setting in the CF Admin, which identifies an alternative virtual directory name to be used when the CF web server connector creates virtual directories in IIS or Apache, pointing to CF's cf_scripts folder. The new info elaborates on how it's important that you also MANUALLY configure the CF admin's built-in web server (the Tomcat web server) to define virtual directories there as well. Otherwise, some aspects of the CF Admin will fail.
Besides the few paragraphs Adobe offers in this technote, see also this blog posts on the topic from Pete Frietag of a few years ago (and my comments on the more recent one):
- Pete's post on creating Tomcat virtual directories (from 2019, updated in 2025)
- Pete's post on modifying this default script src value (from 2011, updated in 2024)
Other matters about update (packages, connectors, bugs, known issues)
Now, let's move on to what else is indicated as potentially interesting (or not) in the update technotes.
Packages updated in this update
As is the case with many of the CF updates, this one does include updates to a few of its packages. See the table at the bottom of each technote indicating what packages were updated (which differs slightly between the two versions).
Connector updates in this update
Another table near the bottom of the technote also indicates that there is no need in this CF update to update/recreate the CF web server connector (unless you're on CF2023 and never updated it after its update 4).
Bug fixes/known issues in this update
As I noted at the outset, the technotes for this update indicate no bug fixes or known issues, at the time of this writing. (BTW, I am not at all suggesting "there are no other bugs that remain to be fixed" in CF. I'm referring only to what this update addresses.)
But I will share some good news for those using CF2025, if using CFReport and CFR files, and you have images in those reports. Folks using that found starting with CF2025 update 8 that the images disappeared from the reports. They are happy to now find them working as of this update, and I can confirm this. I had setup a simple test case to demonstrate to Adobe support. We never heard back that it was fixed, but it is. Little victories.
That said, it's lamentable if an update adds a bug fix but there's no indication of it. (A variant on "what happens if a tree falls in a forest and no one is there to hear it?")
Additional info to consider before/after doing CF updates
Finally, just as with ANY CF update, there are a few issues you should keep in mind. Some have to do with things you should consider BEFORE doing any CF update, while others relate to considerations AFTER the update is applied.
I used to cover them within each of these posts, but I have tried to avoid repeating them. I'll say again that I plan to create a new post pulling the points out to stand alone (as like a best practices for CF updates). But until then, look first at the closing sections of my Apr 2026 update post:
- Things to beware BEFORE doing any CF update
- Changes, as a result of any CF updates you may be skipping
- Beware also that if you'd modified the pathfilter.json file introduced in the May 2025 CF update, sadly that file will be overwritten
- How can you assess if the update went well?
- 1) Check the update log, both for success applying the update
- 2) Check that same update log, for success in the update downloading any updated package
- 3) Check the coldfusion-out.log for success during UPDATING of any packages
- A few other topics generic to recent CF updates, which you may want to consider
- You should strongly consider "clearing the felix-cache"
- Other update topics to consider
And then there were still other generic update topics which I'd covered in still previous posts, the last one in my post on the Oct 2024 updates. After that I started having my subsequent posts point people instead to the bottom of that post for these equally important topics:
- What to consider, with regard to some previous CF updates (possible breaking changes)
- As with all CF updates, possible need to upgrade web server connector
- Something to consider, if you're updating CF2023 from its update 4, or earlier
- and more
How to get notified of updates by email
One last generic topic, not currently covered in those two posts, is that if you may prefer getting notified by email about such CF updates, there are multiple options for that:
- Adobe offers a free service for you to be notified by email regarding any security updates. You can limit it, of course, to only CF. (It does not notify you about non-security CF updates, though.)
- In the cf admin Package Manager page, note there's a Settings tab at the top, and one of the configurable settings it to provide an email address/addresses to be notified by your own server. This assumes the CF admin Mail page is properly configured with an smtp server to deliver the email.
- Pete Freitag offers a wonderful (paid) service called HackMyCF, which despite the scary-sounding name checks regularly to let you know if you are not keeping up on CF security configuration matters, including updates and much more. (Indeed, it will warn if your cf configuration exposes the RDS feature as well as the CFIDE and cf_scripts folders which the news reports above say are being exploited if this June 30 2026 update is not applied.) Another key benefit, though, is that he also sends an email to hackmycf customers indicating when cf updates are released, usually the day they come out.
- And I, too, try to post about updates the day they come out. You can follow my rss feed or easily subscribe to get email notification of posts. See the simple form and rss feed link offered at the end of each post.
- CF hosting companies tend to share an email to their clients when updates come out, including VivioTech, xByte, and others.
On getting help with the update(s)
Finally, as for getting more help with the update, you have a few options.
First, you can reach out to Adobe via the post(s) announcing the update which I pointed to above. Adobe folks might well respond to issues you raise there. Or you could reach out to their support email addresses: [email protected] or [email protected].
Next, you can also reach out to the wider CF community for help or to hear from others. Again, I offer links to several of the online CF communities here.
Finally, if you may want help with considering, installing, or troubleshooting anything related to these updates (or indeed anything related to CF), I'm available for online remote consulting. I can often help solve such update problems VERY quickly (often minutes, rarely even hours), getting you back on your feet. More at carehart.org/consulting.
For more content like this from Charlie Arehart:Need more help with problems?
- Signup to get his blog posts by email:
- Follow his blog RSS feed
- View the rest of his blog posts
- View his blog posts on the Adobe CF portal
- If you may prefer direct help, rather than digging around here/elsewhere or via comments, he can help via his online consulting services
- See that page for more on how he can help a) over the web, safely and securely, b) usually very quickly, c) teaching you along the way, and d) with satisfaction guaranteed




