Skip to main content
S
Community Manager
Saurav_GhoshCommunity Manager
Community Manager
January 13, 2026
Question

NOW LIVE! ColdFusion 2025 and 2023 security updates- January 2026

  • January 13, 2026
  • 2 replies
  • 1295 views

We are pleased to inform you that we've released security updates for ColdFusion 2025 and 2023 releases. For more information, see the respective tech notes:

 

What's new and changed

The releases address CVE-2025-66516, a critical XXE in Apache Tika libraries. Adobe strongly recommends that you apply this update as soon as possible. Note that this update is cumulative and includes fixes from previous updates. 

This update upgrades the embedded Apache Tika libraries, providing the latest security and stability enhancements, while preserving existing application behavior.

View the tech notes, and the security bulletin, APSB26-12, for more information.

 

Download the updates

 

Docker and CFFiddle

Please download and apply the updates and provide your feedback.

      2 replies

      S
      Segfault
      Participating Frequently
      January 15, 2026

      What can be done to mitigate this issue on older (2021) CF?

      I want to also point out the newsletter sent around notifying users of updates classified this as 3, which ment this issue stayed off my radar, in the sense of adequately attaching a priority to it.

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      January 15, 2026

      You've raised two issues. I can offer thoughts on both (while you await any reply from Adobe.)

       

      1) Just to clarify (and as you may know), CF2021 reached its end of life in November (though they "threw a bone" to those still on it with the December update, 22, likely as it was already being created when the Nov date passed). You don't indicate you're aware of that, so even if you are I repeat this for other readers. It's time to GET OFF of CF2021 (and any earlier versions), as this update is the first that is NOT made available to that version (or any earlier ones).

       

      So perhaps you're asking, "yeah, but can Adobe or anyone tell us what WE can do, on our own, as a mitigation?". I'll say Adobe may not be inclined to answer that, for the same reason as above. But we'll see.

       

      I'll note also that Satyam's answer to my question above (about the difference in how the Tika vuln was mitigated differently in 2023 vs 2025) seems to suggest that it was not trivial for them to update CF20223. As such, it may not be possible at all to mitigate the issue in 2021, as note that he indicated that they'd had to come up with "custom tika jars". I can't see them doing that for CF2021.

       

      But again, I know you're asking them, not me. I offer this in case they remain silent on the matter, which sometimes happens with such a question.

       

      2) On your observation about "the newsletter sent around", I suppose you mean the email with the subject "Adobe Security Bulletin - January 2026", which is sent (by the Adobe security team, about ALL products) to those who sign up via the "notify me" link on the left of https://helpx.adobe.com/security.html.

       

      And yes, I see now how the bottom of that email (again, discussing many products) says about the CF one that:

      "Adobe categorizes these updates as priority 3". That's indeed unfortunate (as is the typo of "AAdobe" on the line above it.) FWIW, that's followed by a link to the APSB, which does indeed indicate that it's a "critical" update, as did this blog post above and the CF update technotes.  

       

      Still, good of you to notice the inconsistency in the email: clearly one could misinterpret the severity based on that alone. It's water under the bridge now, of course. But it would be nice if someone from Adobe could acknowledge the mistake and ensure steps are taken to prevent it.

      /Charlie (troubleshooter, carehart. org)
      S
      Segfault
      Participating Frequently
      January 15, 2026

      Thanks for your response.
      I am aware 2021 reached EOL, but considering the severity of this issue and and it's proximity to this EOL date I'm hoping Adobe would be inclined to suggest a mitigation regardless, to help people still in the process of sunsetting old servers.

      Especially since they also still offer extended support for it and are likely looking into it because of it. (i'm also aware extended support does not normally include patches)

       

      And yes, I am indeed referring to the Security Bullentin.

      Charlie Arehart
      Community Expert
      Charlie ArehartCommunity Expert
      Community Expert
      January 14, 2026

      Thanks for the notification, Saurav. 

       

      That said, I find what seem to be a few rather confusing things related to differences between the 2023 and 2025 technotes as well as the resulting tika-related file changes. (To other readers, none of these seem to be any sort of "error" in the update, so I'm NOT at all bringing these up to cause you to hesitate to apply the update.) I bring them up as much to save others who might have noticed the same and would want to ask about it.

       

      So can you perhaps get clarification for us on these?

      • 1) First, the CF2025 technote lists tika being updated to 3.2.3, but the cf2023 technote only shows it being updated to 2.9.4. Here's what they say:
        • for 2025; "This update upgrades the embedded Apache Tika libraries in ColdFusion from Apache Tika 2.9.1 to Apache Tika 3.2.3, providing the latest security and stability enhancements, while preserving existing application behavior."
        • for 2023: "This update upgrades the embedded Apache Tika libraries in ColdFusion from Apache Tika 1.21 to Apache Tika 2.9.4, along with necessary dependencies, , providing the latest security and stability enhancements, while preserving existing application behavior."
        • But the CVE page suggests that the vuln is in anything less than 3.2.2. Some may interpret this to mean that somehow CF2023 is still vulnerable , but I don't think your PSIRT team would allow for that. Can someone clarify how it is or is not? Or is it that somehow you guys found you could NOT update CF2023 to 3.2.2? (And in that case does the tika-config.xml change below somehow relate to that?)
        • Note also that the 2023 line refers to "alone with necessary dependencies" while the 2025 note does not. Was that intentional or just a slip?  There were indeed many tika*.jar files changed in the cf2025 update.

      • 2) Moving on, note that the CF2023 update technote indicates that, "If you have added custom entries to the tika-config.xml file, you must ..."  and elaborates what to do.

        • But first, note that this is not mentioned also in the CF2025 update techhnote, even though technically it does also have that tika-config.xml file. Is that intentional or a mistake?

        • It also doesn't clarify that that file is in the cfusion/lib (or instancename/lib) folder. That would be helpful to add. (Thankfully it DOES point out how a backup of the file is saved in the hf-updates backup folder.)

        • Finally, it doesn't give any insight into why one may have changed that file, or what the default is (I see the default does differ between 2025 and 2023, and did change for 2023 to have one line that 2025 already has--and it has a comment about an optional line if one is "using pdfbox")

        • If those last two points might be improved in the 2023 technote, again it seems the discussion should be added to the 2025 technote. Would you agree?

      • 3) Finally, some may notice that CF2025 technote lists a need to do manual update of CF PMT (monitoring tool), but not 2023

        • That's because 2023 pmt doesn't have the indicated folder, datastore/modules/ingest-attachment

        • Even so, the technote says simply to "Replace the existing Apache Tika version with Apache Tika 3.2.3 in the following directory:

      ColdFusion2025PerformanceMonitoringToolset/datastore/modules/ingest-attachment"

        • What is really meant by that "existing Tika version"? One file, or all?

          • FWIW, there are 11 tika*.jar files with 2.9.2 in their name. Where do we get ALL of those?

          • In the cfusion/lib folder, there are 29 tika*.jar files that have NO version in their name.
          • I suppose we would be expected to delete those 11 and copy in the 11 with the same name (but no version number) from that cfusion/lib folder (after the update)
          • Is that correct?
        • Even so, there's one file in that PMT folder which has none like it in the cfusion/lib folder: tika-langdetect-tika-2.9.2.jar. Are we to replace that? Can you clarify where people should find the one you'd prefer they use?
        • Also, why isn't there just an "update" for the pmt, instead of requiring us manually copy a file? (For those who don't know, the PMT has an update mechanism and corresponding page in its web ui, just like CF does. There have been no updates yet for the 2025 PMT.)
        • Finally, the technote says to restart "elasticsearch" service, but that should be the pmt "datastore" service, as in "ColdFusion 2025 Performance Monitoring Toolset Datastore Service"

       

      As always, just trying to help.

       

      Again I'm asking publicly as others seeing this may have the same question, once they start digging in. If we can get corrections or improvements to the technotes, it will help those who may not yet have proceeded with the update. Also, calling these things out may help those who tend not to bother to read the technote, to discover there was a step that they didn't realize they were expected to perform.

      /Charlie (troubleshooter, carehart. org)
      S
      Adobe Employee
      satyam-mishra
      Adobe Employee
      January 14, 2026


      1 & 2.  Due to dependency limitations, upgrading  tika jars to 3.2.3 in cf23 was not simple. But we have made sure that vuln is mitigated through configurations in tika-config.xml & also custom tika jars 2.9.1.
      So the vuln mitigation mechanism in cf25 & cf23 are not exactly same and so differences in documentation is correct
      3. Datastore shipped in PMT23 remains unimpacted by the vuln.
      There is a download link provided in update doc, which gives list of apache tika jars that need to be replaced in datastore folder of PMT25.

        Charlie Arehart
        Community Expert
        Charlie ArehartCommunity Expert
        Community Expert
        January 15, 2026

        Thanks for the clarifications, Satyam. A couple do remain unanswered:

        • 1) First, I'd asked for any clarification on why anyone might have edited their tika-config.xml file? (The technote warns to save such edits, as the update will replace the file.)
          • Will the technote be updated to clarify that the tika-config.xml file is in the cfusion/lib or [instancename]/lib folder? That's not obvious to readers.
          •  That discussion also needs to refined: it says that if folks DID edit it, they should restore it from either a backup they take or the backup within hf-updates. But that would cause loss of what was CHANGED by this update (which adds a new loaderrorhandler directive and several commented lines to be uncommented if pdfbox is used..
          • Finally, can anyone clarify where pdfbox comes into play with CF? It's the first I've heard about it.

        • 2) Wow on the zip for the PMT. I somehow just missed that.
          • That said, I did ask why you guys didn't just create a PMT update for 2025? That's what the update feature there is for (just like it is there for CF).
          • Finally, will the technote be updated to correct that the service is NOT named "elastisearch"?
        /Charlie (troubleshooter, carehart. org)
        Terms & ConditionsAccessibility statement
        Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices