Skip to main content

CAI Content Credentials CVE-2026-47904

| EUVDEUVD-2026-35848 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 adobe GHSA-vr3p-xmf5-v63x
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 22:24 vuln.today

DescriptionNVD

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

AnalysisAI

Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows a local attacker without privileges to exhaust system resources, resulting in a denial-of-service condition. The vulnerability requires no user interaction, meaning it can be triggered programmatically by any process with local access to a system running the affected SDK. No public exploit code or CISA KEV listing has been identified at time of analysis.

Technical ContextAI

Adobe CAI Content Credentials is an SDK implementing the C2PA (Coalition for Content Provenance and Authenticity) standard, used for embedding and verifying cryptographic provenance metadata in media content. The CPE string cpe:2.3:a:adobe:cai_content_credentials identifies this as an Adobe application-layer component distributed in two package variants: c2pa-web (browser/WebAssembly target) and c2pa (native/server-side target). CWE-400 (Uncontrolled Resource Consumption) indicates the root cause is a failure to impose limits on resource-intensive operations - typically unbounded loops, recursive parsing, or memory allocation triggered by crafted input - allowing an attacker to drive CPU, memory, or I/O to exhaustion without corresponding validation or throttling controls.

RemediationAI

The primary remediation is to upgrade to patched versions per Adobe security advisory APSB26-61, available at https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html. The advisory is the authoritative source for specific fixed version numbers, as the input data does not independently confirm exact fix versions beyond noting that 0.7.1 (c2pa-web) and 0.80.1 (c2pa) are the last vulnerable releases - consult APSB26-61 for confirmed patched releases before upgrading. As a compensating control where immediate patching is not possible, restrict access to the C2PA content processing pipeline so that only trusted, validated input reaches the SDK, reducing the attacker's ability to supply resource-exhausting payloads. Additionally, deploy process-level resource limits (e.g., ulimit, container cgroup memory and CPU constraints) around services invoking the SDK to contain the blast radius of any exploitation attempt - note this does not eliminate the vulnerability but limits its impact to the sandboxed process rather than the host system.

CVE-2026-34712 HIGH
7.5 Jun 09

Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau

CVE-2026-34711 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34713 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34665 HIGH
7.5 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab

CVE-2026-47903 MEDIUM
6.2 Jun 09

Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a

CVE-2026-47902 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all

CVE-2026-47905 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a

CVE-2026-34669 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34688 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34668 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34670 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34679 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

Share

CVE-2026-47904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy