Skip to main content

CAI Content Credentials EUVDEUVD-2026-35843

| CVE-2026-34713 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-09 adobe GHSA-x2pp-hg54-xgcf
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 22:21 vuln.today

DescriptionNVD

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

AnalysisAI

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to exhaust system resources and crash the application by triggering uncontrolled resource consumption during C2PA content processing. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV, but the CVSS 7.5 score reflects easy network-based exploitation with no user interaction required. Affected deployments are those embedding Adobe's Content Authenticity SDK for verifying or generating C2PA provenance manifests on web-facing services.

Technical ContextAI

CAI (Content Authenticity Initiative) Content Credentials implement the C2PA (Coalition for Content Provenance and Authenticity) standard for cryptographically signed media provenance metadata. The affected components are the c2pa-web library (version 0.7.1) and the c2pa SDK (version 0.80.1 and earlier), which parse and validate C2PA manifests embedded in images, video, and other media. The root cause is CWE-400 (Uncontrolled Resource Consumption), typical of parsers that fail to bound input size, recursion depth, or allocation during manifest decoding - a malformed or maliciously crafted manifest can drive CPU, memory, or thread usage to exhaustion. The CPE cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:* covers Adobe-distributed builds of these libraries.

RemediationAI

Patch available per vendor advisory APSB26-61 (https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html) - upgrade c2pa-web beyond 0.7.1 and the c2pa SDK beyond 0.80.1 to the fixed versions Adobe identifies in that bulletin; the input data does not enumerate the exact fixed version numbers, so consult the advisory directly. Until patched, compensating controls include enforcing strict size limits on uploaded media (e.g., reject files above a known-good threshold before passing them to the parser), running C2PA validation in an isolated worker process or container with CPU and memory cgroup limits so a runaway parse cannot starve the host, and adding request-rate limits on endpoints that trigger manifest parsing. The trade-off is that aggressive size limits may reject legitimate high-resolution provenance-rich assets, and sandboxing adds operational complexity.

CVE-2026-34712 HIGH
7.5 Jun 09

Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau

CVE-2026-34711 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34665 HIGH
7.5 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab

CVE-2026-47903 MEDIUM
6.2 Jun 09

Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a

CVE-2026-47904 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows

CVE-2026-47902 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all

CVE-2026-47905 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a

CVE-2026-34669 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34688 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34668 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34670 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34679 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

Share

EUVD-2026-35843 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy