Skip to main content

CAI Content Credentials EUVDEUVD-2026-35849

| CVE-2026-34712 HIGH
Improper Input Validation (CWE-20)
2026-06-09 adobe GHSA-jxcp-8jh9-825w
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 22:21 vuln.today

DescriptionNVD

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

AnalysisAI

Denial-of-service in Adobe's CAI Content Credentials SDK (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenticated attackers to crash the application by submitting malformed input that bypasses validation. The flaw carries a CVSS 7.5 rating driven entirely by availability impact, with no confidentiality or integrity consequences. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

CAI (Content Authenticity Initiative) Content Credentials is Adobe's implementation of the C2PA (Coalition for Content Provenance and Authenticity) open standard, which cryptographically binds provenance metadata (creator, edits, AI involvement) to media assets. The affected components are the c2pa-web JavaScript/WASM binding (0.7.1) and the underlying c2pa Rust SDK (0.80.1 and earlier), both of which parse and validate C2PA manifests embedded in images, video, and audio files. The root cause is CWE-20 (Improper Input Validation), meaning the parser does not adequately sanity-check structural or length fields in untrusted manifest data before processing, allowing a malformed asset to trigger an unhandled error path that terminates the host process.

RemediationAI

Patch available per vendor advisory - consult Adobe Security Bulletin APSB26-61 at https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-61.html for the fixed releases of c2pa-web (post-0.7.1) and the c2pa SDK (post-0.80.1), and upgrade all embedded copies including transitive dependencies in build pipelines. Where immediate upgrade is not possible, compensating controls include running the C2PA parser in an isolated worker process or sandboxed container so that a crash recycles a worker rather than the whole service (trade-off: added latency and operational complexity), enforcing strict file-size and MIME-type limits before invoking the parser on uploaded media (trade-off: legitimate large or unusual but valid assets may be rejected), and rate-limiting or authenticating the upload endpoint to prevent an unauthenticated attacker from repeatedly triggering crashes (trade-off: changes the threat surface but does not fix the underlying parser bug).

CVE-2026-34711 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34713 HIGH
7.5 Jun 09

Denial-of-service in Adobe CAI Content Credentials (c2pa-web 0.7.1 and c2pa 0.80.1 and earlier) allows remote unauthenti

CVE-2026-34665 HIGH
7.5 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerab

CVE-2026-47903 MEDIUM
6.2 Jun 09

Improper input validation in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) permits a

CVE-2026-47904 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) allows

CVE-2026-47902 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) all

CVE-2026-47905 MEDIUM
6.2 Jun 09

Uncontrolled resource consumption in Adobe's CAI Content Credentials SDK (c2pa-web@0.7.1 and c2pa-v0.80.1 and earlier) a

CVE-2026-34669 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34688 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34668 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34670 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

CVE-2026-34679 MEDIUM
6.2 May 12

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability th

Share

EUVD-2026-35849 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy