Description
CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CAI Content Credentials product, versions c2pa-web@0.7.0, c2pa-v0.78.2, and earlier releases, contains an uncontrolled resource consumption vulnerability that can lead to application denial‑of‑service by exhausting system CPU or memory. An attacker could exploit this flaw without user interaction to trigger excessive resource usage, resulting in a denial‑of‑service condition. This issue is identified as CWE‑400. The lack of required user interaction permits remote or local trigger depending on the ability to send specially crafted requests to the component.

Affected Systems

Adobe CAI Content Credentials versions 0.78.2, 0.7.0, and all earlier releases are impacted. These versions are part of Adobe’s Content Authenticity SDK used for content verification and authentication within applications that rely on this library.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, and the EPSS score of 0.00017 (approximately 0.017%) indicates a very low probability that this flaw will be exploited in the wild. The vulnerability is not listed in CISA’s KEV catalog, suggesting that widely known, active exploitation has not been documented. Attackers could trigger the issue without interacting with the system’s UI, indicating that remote exploitation is likely feasible if network access to the vulnerable component exists.

Generated by OpenCVE AI on June 9, 2026 at 23:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Adobe CAI Content Credentials patch, removing all versions 0.78.2, 0.7.0, and earlier from the environment.
  • If a patch is unavailable, limit inbound connections to the application or implement rate limiting and resource quotas to contain potential resource exhaustion.
  • Review and monitor application logs and system metrics for unusual CPU or memory spikes that may indicate an ongoing denial‑of‑service attempt.

Generated by OpenCVE AI on June 9, 2026 at 23:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe c2pa
Adobe c2pa-web
CPEs cpe:2.3:a:adobe:c2pa-web:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adobe:c2pa:*:*:*:*:*:rust:*:*
Vendors & Products Adobe c2pa
Adobe c2pa-web

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe cai Content Credentials
Vendors & Products Adobe
Adobe cai Content Credentials

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Title CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe C2pa C2pa-web Cai Content Credentials
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T21:38:07.367Z

Reserved: 2026-03-30T17:30:36.494Z

Link: CVE-2026-34665

cve-icon Vulnrichment

Updated: 2026-05-12T20:24:14.964Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T20:16:37.013

Modified: 2026-06-17T10:39:24.603

Link: CVE-2026-34665

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:45:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption