CVE-2026-1288

MEDIUM 5.5

RFA File Parsing Vulnerability in Autodesk Revit

CVSS Score

5.5

EPSS Score

0.0%

EPSS Percentile

0th

A maliciously crafted RFA file, when converted to FormIt via “Convert RFA to FormIt” in Autodesk Revit, can force a NULL Pointer Dereference vulnerability. Successful exploitation may cause the application to crash, leading to a denial-of-service condition.

CWE	CWE-476
Vendor	autodesk
Product	revit
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for autodesk revit

Be the first to know when new medium vulnerabilities affecting autodesk revit are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

Autodesk / Revit

2027.0.0 < 2027.1.0 2026.0.0 < 2026.4.1 2025.0.0 < 2025.4.5 2024.0.0 < 2024.3.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

autodesk.com: https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0007 autodesk.com: https://www.autodesk.com/products/autodesk-access/overview