Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionNVD
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.
AnalysisAI
Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to crash the application by submitting malformed input that bypasses validation. The flaw carries a CVSS 7.5 rating driven entirely by availability impact, with no confidentiality or integrity consequences. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
CAI (Content Authenticity Initiative) Content Credentials is Adobe's implementation of the C2PA (Coalition for Content Provenance and Authenticity) open standard, which cryptographically binds provenance metadata (creator, edits, AI involvement) to media assets. The affected components are the c2pa-web JavaScript/WASM binding (0.7.1) and the underlying c2pa Rust SDK (0.80.1 and earlier), both of which parse and validate C2PA manifests embedded in images, video, and audio files. The root cause is CWE-20 (Improper Input Validation), meaning the parser does not adequately sanity-check structural or length fields in untrusted manifest data before processing, allowing a malformed asset to trigger an unhandled error path that terminates the host process.
RemediationAI
Patch available per vendor advisory - consult Adobe Security Bulletin APSB26-61 at https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html for the fixed releases of c2pa-web (post-0.7.1) and the c2pa SDK (post-0.80.1), and upgrade all embedded copies including transitive dependencies in build pipelines. Where immediate upgrade is not possible, compensating controls include running the C2PA parser in an isolated worker process or sandboxed container so that a crash recycles a worker rather than the whole service (trade-off: added latency and operational complexity), enforcing strict file-size and MIME-type limits before invoking the parser on uploaded media (trade-off: legitimate large or unusual but valid assets may be rejected), and rate-limiting or authenticating the upload endpoint to prevent an unauthenticated attacker from repeatedly triggering crashes (trade-off: changes the threat surface but does not fix the underlying parser bug).
More in Cai Content Credentials
View allDenial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab
Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a
Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows
Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all
Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35849
GHSA-jxcp-8jh9-825w