Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability that could result in an arbitrary file system write. An attacker could leverage this vulnerability to write to unauthorized files or directories outside of intended restrictions. Exploitation of this issue requires user interaction in that a victim must extract a maliciously crafted file.
AnalysisAI
Path traversal in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits arbitrary file writes outside the intended extraction directory when a victim opens a maliciously crafted C2PA content credentials file. The CVSS vector confirms a local attack surface (AV:L) with high integrity impact (I:H) and no confidentiality or availability impact, meaning an attacker's primary capability is unauthorized file placement on the target filesystem. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis.
Technical ContextAI
The Adobe CAI (Content Authenticity Initiative) Content Credentials SDK implements the C2PA (Coalition for Content Provenance and Authenticity) open standard for embedding provenance and tamper-evidence metadata into digital media files. The CPE string cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:* identifies the affected product scope across all prior versions. CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) is the root cause - the SDK fails to sanitize file paths embedded within credential archives during extraction, permitting sequences such as '../' or absolute path references to resolve outside the designated output directory. This is a well-understood class of archive extraction flaw ('zip slip') where the extraction routine does not canonicalize or validate the resolved path against the intended base directory before writing.
RemediationAI
Upgrade both affected SDK packages to the versions specified in Adobe security advisory APSB26-61 at https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html - the exact fixed version numbers are documented there and were not independently confirmed from the available input data, so citing the advisory directly is necessary. As a compensating control pending upgrade, restrict or sandbox filesystem write permissions for the process invoking the SDK so that even a successful path traversal write lands in an inconsequential or monitored directory rather than sensitive system paths. Additionally, avoid processing C2PA files received from untrusted or unverified sources until patched. Do not rely on upstream content signing as a bypass mitigation, as the vulnerability lies in the extraction path, not the signature verification logic.
More in Cai Content Credentials
View allDenial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35844
GHSA-hvmh-vjjx-rw3h