Skip to main content

CAI Content Credentials CVE-2026-34657

| EUVDEUVD-2026-35844 MEDIUM
Path Traversal (CWE-22)
2026-06-09 adobe GHSA-hvmh-vjjx-rw3h
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 22:25 vuln.today

DescriptionNVD

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in an arbitrary file system write. An attacker could leverage this vulnerability to write to unauthorized files or directories outside of intended restrictions. Exploitation of this issue requires user interaction in that a victim must extract a maliciously crafted file.

AnalysisAI

Path traversal in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits arbitrary file writes outside the intended extraction directory when a victim opens a maliciously crafted C2PA content credentials file. The CVSS vector confirms a local attack surface (AV:L) with high integrity impact (I:H) and no confidentiality or availability impact, meaning an attacker's primary capability is unauthorized file placement on the target filesystem. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Technical ContextAI

The Adobe CAI (Content Authenticity Initiative) Content Credentials SDK implements the C2PA (Coalition for Content Provenance and Authenticity) open standard for embedding provenance and tamper-evidence metadata into digital media files. The CPE string cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:* identifies the affected product scope across all prior versions. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) is the root cause - the SDK fails to sanitize file paths embedded within credential archives during extraction, permitting sequences such as '../' or absolute path references to resolve outside the designated output directory. This is a well-understood class of archive extraction flaw ('zip slip') where the extraction routine does not canonicalize or validate the resolved path against the intended base directory before writing.

RemediationAI

Upgrade both affected SDK packages to the versions specified in Adobe security advisory APSB26-61 at https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html - the exact fixed version numbers are documented there and were not independently confirmed from the available input data, so citing the advisory directly is necessary. As a compensating control pending upgrade, restrict or sandbox filesystem write permissions for the process invoking the SDK so that even a successful path traversal write lands in an inconsequential or monitored directory rather than sensitive system paths. Additionally, avoid processing C2PA files received from untrusted or unverified sources until patched. Do not rely on upstream content signing as a bypass mitigation, as the vulnerability lies in the extraction path, not the signature verification logic.

CVE-2026-34712 HIGH
7.5 Jun 09

Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau

CVE-2026-34711 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34713 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34665 HIGH
7.5 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab

CVE-2026-47903 MEDIUM
6.2 Jun 09

Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a

CVE-2026-47904 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows

CVE-2026-47902 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all

CVE-2026-47905 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a

CVE-2026-34669 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34688 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34668 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34670 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

Share

CVE-2026-34657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy