CVE-2026-34665 - Vulnerability Details

- CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)

Description

CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

Published: 2026-05-12

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The CAI Content Credentials product contains a resource exhaustion vulnerability that can cause the application to consume excessive CPU or memory, ultimately denying service to legitimate users. This flaw is identified as CWE-400, an uncontrolled resource consumption weakness. Exploitation does not require user interaction, allowing an attacker to trigger the condition remotely or locally, depending on the attacker’s ability to send specially crafted requests to the component.

Affected Systems

Adobe CAI Content Credentials versions 0.78.2, 0.7.0, and all earlier releases are impacted. These versions are part of Adobe’s Content Authenticity SDK used for content verification and authentication within applications that rely on this library.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, and because the EPSS score is not available, the precise likelihood of exploitation is unknown. The vulnerability is not listed in CISA’s KEV catalog, suggesting that widely known, active exploitation has not been documented. Attackers could trigger the issue without interacting with the system’s UI, indicating that remote exploitation is likely feasible if network access to the vulnerable component exists.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Adobe

CAI Content Credentials

affected

Version	Status	Constraints
`0`	affected	≤ 0.7.0

Configuration 1 [-]

OR	cpe:2.3:a:adobe:c2pa::::::rust::*
	cpe:2.3:a:adobe:c2pa-web::::::node.js::*

No data.

Vendor Product Confidence Versions

Adobe

Cai Content Credentials

100%

Version	Status	Scheme	Platform
`[0,0.7.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Adobe CAI Content Credentials patch, removing all versions 0.78.2, 0.7.0, and earlier from the environment.
If a patch is unavailable, limit inbound connections to the application or implement rate limiting and resource quotas to contain potential resource exhaustion.
Review and monitor application logs and system metrics for unusual CPU or memory spikes that may indicate an ongoing denial‑of‑service attempt.

Generated by OpenCVE AI on May 12, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-53.html

History

Fri, 15 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe c2pa Adobe c2pa-web
CPEs		cpe:2.3:a:adobe:c2pa-web::::::node.js::* cpe:2.3:a:adobe:c2pa::::::rust::*
Vendors & Products		Adobe c2pa Adobe c2pa-web

Wed, 13 May 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Adobe Adobe cai Content Credentials
Vendors & Products		Adobe Adobe cai Content Credentials

Tue, 12 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 12 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Title		CAI Content Credentials \| Uncontrolled Resource Consumption (CWE-400)
Weaknesses		CWE-400
References		https://helpx.adobe.com/security/products/content-authenticity-sdk/apsb26-53.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

Adobe C2pa C2pa-web Cai Content Credentials

MITRE

Status: PUBLISHED

Assigner: adobe

Published: 2026-05-12T20:03:51.950Z

Updated: 2026-05-12T20:24:20.558Z

Reserved: 2026-03-30T17:30:36.494Z

Link: CVE-2026-34665

Vulnrichment

Updated: 2026-05-12T20:24:14.964Z

NVD

Status : Analyzed

Published: 2026-05-12T20:16:37.013

Modified: 2026-05-15T14:12:24.333

Link: CVE-2026-34665

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-13T10:36:04Z

Weaknesses

CWE-400

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object