Back to news
Cybersecurity Alert
June 22, 2026 by EmailMeNow IT Consulting

Adobe May 2026 Security Update Patches 52 Flaws — Connect, Commerce, and Creative Cloud at Risk

Adobe's May 12, 2026 PSIRT release fixes 52 vulnerabilities across Illustrator, Premiere Pro, After Effects, Adobe Connect, and Adobe Commerce. Independent audits score adobe.com at 74% but commerce.adobe.com at 35% — weeks after Adobe's April third-party BPO breach.

Source: Adobe Product Security Incident Response Team (PSIRT)

AdobeVulnerability DisclosurePatch ManagementThird-Party RiskCybersecurityTexas Law Firms
Adobe security advisory for Connect, Commerce, and Creative Cloud products

Adobe has released fixes for security problems in several popular products, including Illustrator, Premiere Pro, After Effects, Adobe Connect, and Adobe Commerce. If left unpatched, these issues could let someone take control of a computer or account, install unwanted software, or access and change files.

The May 12, 2026 monthly security release addresses 52 vulnerabilities across 10 product families, according to Adobe PSIRT bulletins. Adobe states it is not aware of active exploitation for these specific CVEs, but the update arrives as organizations are still responding to Adobe’s April 2026 third-party BPO breach — a separate incident we covered in our April 2026 cyber incidents roundup.

Read Adobe’s security bulletin index:
https://helpx.adobe.com/security.html

What Adobe Patched

Adobe Connect (APSB26-50) — highest severity

Two critical flaws in the Adobe Connect Desktop Application affect versions through 2025.9.15 (Windows) and 2025.8.157 (macOS):

  • CVE-2026-34659 (CVSS 9.6) — deserialization of untrusted data leading to arbitrary code execution
  • CVE-2026-34660 (CVSS 9.3) — incorrect authorization leading to privilege escalation

Adobe rates this update Priority 3 and recommends upgrading to Desktop Application 2026.3.125 (Windows) / 2026.01.39 (macOS).

Adobe Commerce & Magento Open Source (APSB26-49) — largest patch volume

Adobe Commerce received 15 fixes (10 high-severity, 5 medium-severity) covering arbitrary code execution, security feature bypass, denial-of-service, cross-site scripting, and path traversal. Adobe assigned Priority 2 — higher than most Creative Cloud updates — because Commerce has been targeted in past campaigns.

Affected release lines include 2.4.8-p4 and earlier, 2.4.7-p9 and earlier, and 2.4.6-p14 and earlier. Adobe published patch releases including 2.4.8-p5, 2.4.7-p10, and 2.4.6-p15 on May 12, 2026.

Creative Cloud desktop applications

ProductBulletinNotable impact
Premiere ProAPSB26-46Remote code execution in versions through 25.6.4 and 26.0.2
After EffectsAPSB26-48Remote code execution in versions through 25.6.4 and 26.0
IllustratorAPSB26-51Two critical code-execution flaws (CVE-2026-34661, CVE-2026-34687) in 2025 29.8.6 and 2026 30.3 and earlier
Media EncoderAPSB26-47Remote code execution in current release lines

Adobe also patched Substance 3D Designer, Sampler, and Painter and the Content Authenticity SDK in the same monthly batch.

Connection to Adobe’s April 2026 Breach

These product patches are not a direct response to the April breach, but they compound risk for organizations already on alert.

In April 2026 reporting, Adobe confirmed a breach through a third-party BPO contractor involving phishing and privilege escalation. Alleged exposure included support tickets, employee data, and bug bounty submissions — the same class of identity and workflow data attackers reuse in follow-on campaigns.

The May PSIRT release and the April contractor incident illustrate two parallel Adobe risk surfaces:

  1. Endpoint and server software — unpatched Connect, Commerce, or Creative Cloud installs
  2. Identity and vendor access — contractors, help desks, and SSO portals without strong MFA and monitoring

Organizations that use Adobe for creative production, webinars (Connect), or e-commerce (Commerce) should treat patching and vendor access reviews as one combined program — not separate IT and security workstreams.

Who Should Act First

  • E-commerce and retail running Adobe Commerce or Magento Open Source — apply Commerce patches immediately; restrict admin interfaces from the public internet until verified
  • Marketing and creative teams on Premiere Pro, After Effects, or Illustrator — update via the Creative Cloud desktop app; do not open untrusted project or asset files on outdated builds
  • Legal, HR, and training departments using Adobe Connect for webinars or depositions — prioritize Connect Desktop Application updates on all presenter and attendee machines
  • Managed service providers and BPO vendors with Adobe admin access — enforce MFA, least-privilege roles, and session logging (lessons from the April contractor breach)

Priority Actions

  1. Inventory Adobe products across workstations, VDI pools, and Commerce/Connect servers.
  2. Patch Commerce and Connect first — highest CVSS scores and Priority 2 rating on Commerce.
  3. Push Creative Cloud updates through your MDM or RMM tool; verify build numbers match PSIRT solution tables.
  4. Restrict Commerce admin panels — allowlist admin IPs, enforce MFA, and review extension/third-party module code.
  5. Review BPO and contractor Adobe access — align with vendor risk assessments after the April incident.
  6. Monitor for phishing referencing Adobe invoices, Connect meeting invites, or Commerce order alerts.

Post-Incident Security Posture Assessment

We ran independent EmailMeNow Cybersecurity Audits against Adobe’s primary public domains on June 22, 2026:

Organization (Domain)OverallRisk Level
Adobe (adobe.com)74%Good
Adobe Business (business.adobe.com)35%Critical Risk
Adobe Commerce (commerce.adobe.com)35%Critical Risk

These scores reflect email authentication and transport security on public-facing domains — not whether individual CVEs are patched on your workstations. They do show a split posture: the main adobe.com marketing domain scores well, while commerce.adobe.com and business.adobe.com sit in the Critical Risk band, which can make phishing and domain impersonation easier against merchants and enterprise customers.

Audit links:

Why Texas Businesses Should Care

Texas organizations across hospitality, retail, legal marketing, and creative services routinely depend on Adobe tools. Unpatched desktop software can become the entry point for ransomware; unpatched Commerce instances can expose customer PII and payment workflows — incident patterns we track in Texas OAG breach reports and hospitality & retail breach summaries.

Patching alone does not satisfy Texas SB 2610 documentation expectations, but a written patch-management and vendor-access program is part of a defensible cybersecurity posture when client or customer data is at stake.


Protect your organization.

Run a free Instant Cybersecurity Audit at audit.emailmenow.com to review DMARC, SPF, DKIM, and transport security — and contact EmailMeNow IT Consulting for patch-management policy, vendor risk review, and SB 2610 documentation support.


Sources: Adobe Security Bulletins · APSB26-50 — Adobe Connect · APSB26-49 — Adobe Commerce · APSB26-51 — Illustrator · EmailMeNow audits — adobe.com · commerce.adobe.com