Adobe Acrobat CVE-2026-34621: How to identify and fix vulnerable assets

What is CVE-2026-34621 and why is it critical? 

CVE-2026-34621 is a high-severity vulnerability affecting the embedded JavaScript execution engine within Adobe Acrobat and Reader. Attackers have actively exploited this zero-day flaw since at least December 2025 using socially engineered PDFs. CVE-2026-34621 was listed on both NVD and CISA KEV on April 13. Additional information, including patching instructions, is available at Adobe's Security Bulletin.

The vulnerability: 

• Has a CVSS base score of 8.6 (Critical).

• Is a Prototype Pollution flaw (CWE-1321) that allows arbitrary code execution in the context of the current user. 

• Uses privileged Acrobat APIs like util.readFileIntoStream() to silently extract local files and exfiltrate data.

• Was subjected to a critical patch bypass (CVE-2026-34622), requiring a secondary emergency update from Adobe.

As of April 15, 2026, multiple versions are impacted. Ensure you are targeting the post-bypass secure baselines.

Systems affected – Windows and MacOS systems running the following versions: 

Systems not affected: 

• Acrobat DC and Acrobat Reader DC updated to version 26.001.21431 or later. 

• Acrobat 2024 updated to version 24.001.30365 or later.

Note on update track: In Adobe Acrobat, "Continuous" and "Classic" determine how and when your software gets updated. Software on the Continuous track gets constant/silent app updates while classic requires a manual download and patch.

How to identify assets vulnerable to CVE-2026-34621 with Axonius 

The Axonius queries below will help you identify assets vulnerable to CVE-2026-34621 across your infrastructure and software estate. Before you begin, perform a global discovery to ensure your asset data is current.

1. Identify vulnerable Acrobat instances detected by your vulnerability scanners

To find instances of the CVE-2026-34621 already identified by your vulnerability scanners, go to Assets > Exposures > Aggregated Security Findings and search for:

2. Identify vulnerable assets running Acrobat and NOT found by your scanners

To reduce the mean time to detection (MTTD) or deployment gaps from vulnerability scanners, go to Assets > Software and then search for all Acrobat instances (excluding the Acrobat Update Utility):

From the results, click the link under device count to get a list of affected assets. 

Remediation and mitigation guidance for CVE-2026-34621

Update Adobe Acrobat DC and Reader DC to version 26.001.21431 or later, and Acrobat 2024 to version 24.001.30365 or later; these are the post-bypass secure baselines. The U.S. CISA mandates federal agencies to patch by April 27, 2026, under BOD 22-01. 

Recommended patch versions and deployment methods

• Acrobat DC / Reader DC (Continuous): Update immediately to the secure baseline listed above.

• Acrobat 2024 (Classic): Update immediately to the secure baseline listed above.

• Deploy updates centrally using AIP-GPO, bootstrapper, SCUP/SCCM, Apple Remote Desktop, or SSH.

Compensating controls if immediate patching is not possible

• Disable JavaScript in Adobe Acrobat and Reader to neutralize the exploit chain at an architectural level.

• Do not open PDF files from untrusted sources (successful exploitation requires a user opening a malicious file).

• Block outbound HTTP/HTTPS traffic originating from endpoints where the User-Agent contains the string "Adobe Synchronizer" to disrupt data exfiltration.

• Monitor endpoint detection systems for anomalous child processes or unexpected file reads originating from Acrobat.exe or AcroRd32.exe.

Where to find more information on CVE-2026-34621

The following resources provide official patch details, exploit timelines, and threat analysis for CVE-2026-34621 and its subsequent bypass (CVE-2026-34622):

• Adobe Security Bulletin APSB26-44 (Patch Bypass Updates)

• CISA Known Exploited Vulnerabilities Catalog 

• The Hacker News Threat Analysis

• SecurityWeek Exploit Timeline