Description
CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Published: 2026-05-12
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CAI Content Credentials versions c2pa-v0.78.2, c2pa-web@0.7.0, and earlier include an uncontrolled resource consumption flaw that may be triggered by crafted input. When exploited, the application allocates excessive amounts of memory or CPU, eventually exhausting system resources and resulting in a denial‑of‑service. The flaw can be triggered remotely without requiring any user interaction.

Affected Systems

The affected software is Adobe CAI Content Credentials. Attackers can target installations using version c2pa-v0.78.2, c2pa-web@0.7.0, or any earlier release. No other vendors are listed.

Risk and Exploitability

The CVSS base score of 6.2 denotes moderate severity, and the issue is not listed in the KEV catalogue. Because the vulnerability can be activated remotely without user interaction, it carries a realistic risk of exploitation. The EPSS score of 0.00011 (approximately 0.011%) indicates a low but nonzero likelihood of exploitation. Implementing rate limits and upgrading the software mitigates this risk.

Generated by OpenCVE AI on June 9, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adobe CAI Content Credentials to a version that fixes the uncontrolled resource consumption issue, or install the vendor‑issued patch if available.
  • Configure the application to enforce strict limits on resource usage for any inbound request, such as maximum memory allocation or request size.
  • Deploy network‑level throttling or rate limiting to restrict the rate of requests that can reach the CAI Content Credentials component.
  • If an upgrade is not immediately possible, isolate the service from other critical components to reduce the impact of a potential denial‑of‑service attack.

Generated by OpenCVE AI on June 9, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction. CAI Content Credentials versions c2pa-web@0.7.0, c2pa-v0.78.2 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

Fri, 15 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Adobe c2pa
Adobe c2pa-web
CPEs cpe:2.3:a:adobe:c2pa-web:*:*:*:*:*:node.js:*:*
cpe:2.3:a:adobe:c2pa:*:*:*:*:*:rust:*:*
Vendors & Products Adobe c2pa
Adobe c2pa-web

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Adobe
Adobe cai Content Credentials
Vendors & Products Adobe
Adobe cai Content Credentials

Tue, 12 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Description CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Title CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Adobe C2pa C2pa-web Cai Content Credentials
cve-icon MITRE

Status: PUBLISHED

Assigner: adobe

Published:

Updated: 2026-06-09T21:38:18.496Z

Reserved: 2026-03-30T17:30:36.495Z

Link: CVE-2026-34673

cve-icon Vulnrichment

Updated: 2026-05-12T20:23:58.856Z

cve-icon NVD

Status : Modified

Published: 2026-05-12T20:16:37.920

Modified: 2026-06-17T10:39:25.437

Link: CVE-2026-34673

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:30:05Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption