Adobe Campaign Classic administrators should update systems affected by CVE-2026-48286. NVD lists Adobe Campaign Classic 7.4.3 build 9396 and earlier as affected by an incorrect authorization vulnerability with a CVSS 10 critical rating. The fixed build called out in public reporting for Adobe’s bulletin is Adobe Campaign Classic 7.4.3 build 9397.
This is a protect-only operations guide for enterprise application owners, marketing operations teams, MSPs, and hosting teams that support Adobe Campaign Classic on Windows or Linux. Fix I.T. Phill is not publishing attack steps or scanner checks. The safe action path is inventory, backup, vendor update, integration testing, log review, and customer communication.
Affected Versions And Fixed Build
| Product | Affected versions | Fixed build target |
|---|---|---|
| Adobe Campaign Classic | 7.4.3 build 9396 and earlier | 7.4.3 build 9397 or later vendor-supported fixed build |
Campaign Classic often sits close to customer data, email delivery, authentication integrations, tracking workflows, and business-critical marketing automations. Treat affected self-managed or hybrid deployments as a priority maintenance item even if the system is not a public storefront.
Plain-English Impact
NVD describes CVE-2026-48286 as an incorrect authorization issue that could lead to arbitrary code execution in the context of the current user, without requiring user interaction. For administrators, that means the patch is not optional housekeeping. It is a security update for a high-value enterprise application that may contain customer, campaign, tracking, and integration data.
Patch Checklist
- Inventory every Campaign Classic instance, including production, staging, disaster recovery, and reporting environments.
- Confirm the exact build number and whether the instance is self-managed, hosted, or part of a vendor-managed service.
- Back up the application server, configuration, workflows, custom scripts, integration settings, and Campaign database before maintenance.
- Confirm the vendor-supported update path for your deployment model and operating system.
- Apply Adobe Campaign Classic 7.4.3 build 9397 or the current fixed build approved for your environment.
- Restart services in the documented order and verify that scheduled workflows resume correctly.
- Test authentication, campaign workflow execution, message sending, bounce handling, tracking, reporting, API integrations, SFTP/file imports, and CRM or ecommerce data flows.
If You Cannot Patch Immediately
The correct remediation is the vendor update. If a short delay is unavoidable, reduce exposure while keeping the maintenance window urgent:
- Restrict administrative access to trusted networks and known operators.
- Review integration accounts and remove unused credentials or stale access.
- Pause risky nonessential imports or external automations until the system is patched.
- Increase monitoring around login, workflow, file transfer, API, and outbound delivery activity.
- Tell campaign owners when maintenance may affect sends, reporting, tracking, or data synchronization.
Post-Update Verification
- Confirm the final Campaign Classic build number from trusted inventory or application administration.
- Verify campaign workflows, scheduled jobs, message delivery, bounce processing, tracking, and reporting.
- Review application, database, authentication, file transfer, and integration logs for unusual activity before and after the maintenance window.
- Check for unexpected administrator accounts, workflow changes, integration changes, or new scheduled activity.
- Document the patch time, final build, tests performed, and any customer-facing impact.
Customer And Business Notes
For agencies and managed service providers, the customer message should focus on business continuity: a critical Adobe Campaign Classic security update was released, the affected build status was checked, the update is scheduled or complete, and campaign workflows will be verified after maintenance. Avoid sending technical attack details in broad customer messages.
