Skip to main content

CAI Content Credentials EUVDEUVD-2026-35847

| CVE-2026-47903 MEDIUM
Improper Input Validation (CWE-20)
2026-06-09 adobe GHSA-qx3w-6mjj-cvrc
6.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 22:24 vuln.today

DescriptionNVD

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

AnalysisAI

Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a local attacker to crash the consuming application by supplying malformed input, resulting in a denial-of-service condition. No user interaction is required once the attacker can deliver crafted input to the locally running process. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; however, the crash-based impact and low attack complexity make it straightforward to trigger.

Technical ContextAI

The affected library implements the C2PA (Coalition for Content Provenance and Authenticity) standard for embedding and verifying digital content credentials - cryptographic provenance metadata attached to media files. The two affected packages are the JavaScript/WebAssembly web SDK (c2pa-web) and the core Rust-based SDK (c2pa), both published by Adobe under the Content Authenticity Initiative (CAI). CWE-20 (Improper Input Validation) indicates the root cause is insufficient sanitization or bounds checking of attacker-controlled input before it is processed by the parsing or verification routines within the library. The CPE string cpe:2.3:a:adobe:cai_content_credentials:*:*:*:*:*:*:*:* covers all versions up through the affected releases. Because this SDK is embedded within applications rather than exposed as a standalone service, the attack surface is local to wherever content credential parsing occurs.

RemediationAI

The primary remediation is to upgrade both affected packages beyond the identified vulnerable versions: c2pa-web above 0.7.1 and c2pa above 0.80.1. Exact fixed version numbers are not explicitly confirmed in the provided data - consult the Adobe advisory APSB26-61 at https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html for the precise patched release identifiers before deploying updates. As a compensating control where immediate upgrade is not possible, restrict the application's input sources to trusted, internally generated content only, preventing untrusted external media from reaching the c2pa parsing routines; this eliminates the attacker's delivery mechanism but may impact legitimate workflows that process third-party content. Additionally, consider wrapping the application process in a supervisor with automatic restart to reduce the operational impact of a crash-induced denial of service. Neither workaround addresses the underlying validation defect and should be treated as temporary measures pending patch deployment.

CVE-2026-34712 HIGH
7.5 Jun 09

Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unau

CVE-2026-34711 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34713 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34665 HIGH
7.5 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab

CVE-2026-47904 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows

CVE-2026-47902 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all

CVE-2026-47905 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a

CVE-2026-34669 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34688 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34668 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34670 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34679 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

Share

EUVD-2026-35847 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy