CVE-2026-47991: Adobe Experience Manager Auth Bypass Flaw

CVE-2026-47991 Overview

CVE-2026-47991 is an Improper Redirect (Open Redirect) vulnerability affecting Adobe Experience Manager (AEM). The flaw exists in AEM versions 6.5.24, LTS SP1, 2026.04, and earlier releases. Attackers can craft malicious URLs that redirect victims from a trusted AEM domain to an attacker-controlled site. Successful exploitation can lead to account takeover by enabling phishing flows that appear to originate from a legitimate Adobe Experience Manager instance. Exploitation requires user interaction, specifically the victim clicking a malicious link. The vulnerability is tracked under CWE-601: URL Redirection to Untrusted Site.

Critical Impact
Attackers can leverage the trusted AEM domain to redirect users to phishing infrastructure, harvesting credentials and enabling account takeover.

Affected Products

Adobe Experience Manager 6.5.24 and earlier
Adobe Experience Manager LTS SP1 and earlier
Adobe Experience Manager 2026.04 (AEM Cloud Service) and earlier

Discovery Timeline

2026-06-09 - CVE-2026-47991 published to NVD
2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-47991

Vulnerability Analysis

The vulnerability resides in Adobe Experience Manager's URL handling logic, where a redirect parameter accepts attacker-controlled destination values without sufficient validation. An attacker constructs a URL pointing to a legitimate AEM endpoint that includes a redirect target referencing an external domain. When the victim clicks the link, the AEM server issues an HTTP redirect to the attacker-controlled site. Because the initial URL originates from a trusted Adobe Experience Manager host, security controls and users frequently treat the link as safe. The redirect chain then delivers the victim to a phishing page that mimics Adobe or related single sign-on portals. Captured credentials enable full account takeover. The attack vector requires no authentication and operates over the network, but exploitation depends on user interaction.

Root Cause

The root cause is improper validation of user-supplied URL parameters used in redirect operations. Adobe Experience Manager fails to enforce an allowlist of approved redirect destinations or to verify that redirect targets remain within the application's own domain. This classifies as CWE-601.

Attack Vector

An attacker delivers a crafted link through email, chat, social media, or compromised web content. The link points to a vulnerable AEM endpoint with a redirect parameter set to an attacker-controlled domain. When a victim clicks the link, AEM responds with a redirect to the malicious destination. The attacker site can impersonate the Adobe Experience Manager login screen, harvest session tokens, or deliver follow-on payloads. See the Adobe Security Advisory APSB26-56 for vendor-confirmed details.

Detection Methods for CVE-2026-47991

Indicators of Compromise

Inbound HTTP requests to AEM endpoints containing redirect parameters with external domain values in query strings.
HTTP 302 or 301 responses from AEM hosts pointing to non-Adobe domains in the Location header.
Unusual referrer chains in web proxy logs showing AEM URLs preceding access to unknown external sites.
User reports of unexpected redirects from AEM-hosted pages to login portals on unfamiliar domains.

Detection Strategies

Review AEM access logs for redirect parameters such as url, redirect, next, returnUrl, or target containing fully qualified external URLs.
Correlate web proxy and DNS telemetry to identify clients redirected from AEM domains to newly registered or low-reputation sites.
Inspect email gateway logs for messages containing AEM URLs with embedded redirect parameters.
Deploy URL pattern rules in WAF or reverse proxy layers that flag redirect parameters carrying off-domain destinations.

Monitoring Recommendations

Ingest AEM web server and dispatcher logs into a centralized analytics platform for query and alerting on redirect parameter anomalies.
Alert on spikes in 3xx responses from AEM endpoints destined for external domains.
Track user-reported phishing incidents that reference AEM-hosted URLs and pivot on the redirect destinations.
Maintain reputation feeds for outbound redirect targets and block known malicious destinations at the proxy.

How to Mitigate CVE-2026-47991

Immediate Actions Required

Apply the Adobe security update referenced in APSB26-56 to all affected AEM instances.
Inventory all AEM on-premises, LTS, and Cloud Service deployments to confirm patch coverage.
Notify users and administrators about phishing risks tied to AEM-hosted redirect links until patching completes.
Audit recent AEM access logs for evidence of exploitation attempts referencing redirect parameters.

Patch Information

Adobe released fixed builds addressing CVE-2026-47991 in the security bulletin APSB26-56. Administrators must upgrade Adobe Experience Manager 6.5.24, LTS SP1, and 2026.04 to the patched versions listed in the advisory. AEM Cloud Service customers receive the fix through Adobe-managed updates.

Workarounds

Configure the AEM dispatcher or upstream WAF to strip or validate redirect parameters against an allowlist of internal hostnames.
Enforce server-side validation that rejects redirect targets containing absolute URLs or external schemes.
Display interstitial warning pages when a redirect leaves the AEM domain, requiring user confirmation.
Restrict outbound redirects to a curated set of approved domains documented in AEM configuration.

bash

# Example dispatcher filter rule to block external redirects in query parameters
/0100 { /type "deny" /url '*redirect=http*://*' }
/0101 { /type "deny" /url '*url=http*://*' }
/0102 { /type "deny" /url '*returnUrl=http*://*' }