MEDIUM 6.2

CVE-2026-47902: CAI Content Credentials Resource Exhaustion Denial-of-Service

CAI Content Credentials, Adobe's implementation of Content Provenance and Authentication, contains a flaw that allows attackers to consume excessive system resources without any user action required. This can crash or severely degrade applications using affected versions of the c2pa-web library (0.7.1 and earlier) or the c2pa core library (v0.80.1 and earlier). The vulnerability is a resource exhaustion issue—an attacker sends specially crafted input that forces the application to allocate memory or processing power until the system becomes unresponsive.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400
Affected products
2 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-47902 is classified as an Uncontrolled Resource Consumption vulnerability (CWE-400) affecting Adobe's Content Provenance and Authentication libraries. The flaw exists in c2pa-web versions up to and including 0.7.1 and c2pa core versions up to and including v0.80.1. The vulnerability has a CVSS v3.1 score of 6.2 (MEDIUM severity) with a vector of AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating local attack surface, low complexity, no privileges required, no user interaction, and high impact to availability. The attack does not compromise confidentiality or integrity, only availability.

Business impact

For organizations deploying c2pa-web or c2pa libraries to validate content authenticity and provenance, this vulnerability creates a denial-of-service risk. Applications that rely on these libraries to process user-supplied content credentials or metadata could become unresponsive when processing malicious inputs. This is particularly concerning for media publishers, authentication platforms, and content management systems that depend on c2pa for verifying digital signatures and tracking content origins. Availability disruptions can interrupt content verification workflows and erode trust in authentication mechanisms.

Affected systems

Adobe c2pa and c2pa-web libraries are affected. Specifically: c2pa-web version 0.7.1 and all earlier versions; c2pa version v0.80.1 and all earlier versions. Any application embedding or using these libraries—whether in Node.js environments (c2pa-web) or web contexts—is vulnerable if running unpatched versions. Organizations should inventory dependencies on these libraries across their software supply chain.

Exploitability

This vulnerability requires no user interaction and can be triggered with local access to the affected system or application. An attacker can send crafted input directly to the application using the vulnerable library; the resource exhaustion occurs automatically without requiring social engineering or user click-through. This makes the attack straightforward to execute once an attacker can reach the application's processing functions. However, the CVSS vector specifies AV:L (local attack vector), meaning the attacker must have local access to the target system, which somewhat constrains the attack surface compared to network-exploitable flaws.

Remediation

Upgrade c2pa-web to version 0.7.2 or later (verify against Adobe's official release notes). Upgrade c2pa to version v0.80.2 or later. If immediate patching is not feasible, consider implementing rate limiting or resource caps at the application or container level to mitigate resource exhaustion. Input validation and size limits on credential payloads may provide temporary defense-in-depth.

Patch guidance

Monitor Adobe's official repositories and security advisories for patch releases addressing this vulnerability. Patches should be tested in a non-production environment before deployment. For organizations using c2pa-web in Node.js or JavaScript environments, update via npm; for c2pa core integrations, follow Adobe's published patch guidance. Verify that updated library versions are actually deployed and that no cache or bundled copies of older versions are inadvertently used.

Detection guidance

Monitor for sudden spikes in memory or CPU consumption correlated with processing of content credentials or metadata. Log and alert on error conditions related to resource exhaustion (out-of-memory, timeout errors) within c2pa processing pipelines. If you have telemetry on library versions in use, flag deployments still running c2pa-web ≤0.7.1 or c2pa ≤v0.80.1. Runtime application performance monitoring (APM) tools can help detect denial-of-service patterns caused by this vulnerability.

Why prioritize this

This vulnerability merits prompt attention because it enables denial-of-service attacks without user interaction or elevated privileges, and affects core authentication and content provenance mechanisms that many modern media and publishing platforms depend on. Although CVSS is MEDIUM and local access is required, the ease of exploitation and direct impact to service availability make it a priority for patching cycles. Organizations processing untrusted content credentials should prioritize updates.

Risk score, explained

The CVSS v3.1 score of 6.2 (MEDIUM) reflects the high availability impact (A:H) but limited attack vector (local only, AV:L) and lack of confidentiality or integrity compromise. In environments where the c2pa library processes input from less-trusted sources or where local access is plausible, effective risk may be elevated; in tightly controlled backend scenarios, risk may be lower. The lack of KEV designation indicates this has not yet been observed in active exploitation campaigns, but that should not discourage rapid patching given the straightforward attack mechanism.

Frequently asked questions

Why does this vulnerability require local access if I'm using c2pa-web in a web application?

The CVSS vector AV:L refers to the attack vector necessary to trigger the underlying flaw in the library code itself. In a web context, if your backend service processes user-submitted credentials via HTTP, the 'local' boundary includes that network interface; an unauthenticated remote user could still send malicious payloads across the network to reach the vulnerable library function. The 'local' designation does not mean only on-premise or console access.

Will updating c2pa-web break my existing content validation workflows?

Patch releases (0.7.1 to 0.7.2, for example) are designed to be backward compatible. Test updates in a staging environment before production deployment to confirm no integration issues, but breakage is unlikely. Consult Adobe's release notes for any deprecation warnings or behavioral changes.

What if we use c2pa only for reading existing provenance data and never process untrusted credentials?

Your risk is lower in that scenario, but not zero. If any code path could receive attacker-controlled data—even indirectly through caching or batch processing—the vulnerability can still be triggered. Patching remains the safest approach; meanwhile, input size limits or resource quotas provide defense-in-depth.

Is this vulnerability exploited in the wild?

As of the vulnerability's publication date (June 2026), this issue has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning no public exploit or active attacks have been confirmed. However, the straightforward nature of denial-of-service vulnerabilities means exploitation could begin at any time; do not delay patching based on this status.

This analysis is provided for informational purposes and does not constitute professional security advice. Vulnerability severity and exploitability can vary based on your specific environment, deployment architecture, and data exposure. Always verify vendor advisories and patch availability directly from Adobe's official channels. Test patches in non-production environments before deployment. SEC.co assumes no liability for decisions made based on this intelligence. Consult your organization's security and risk management teams before implementing remediation actions. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).