CVE-2026-47904: CAI Content Credentials Resource Exhaustion Denial-of-Service
CAI Content Credentials, a component used for managing digital content authenticity and provenance, contains a flaw that allows an attacker to consume excessive system resources without requiring user action. An affected application could become unresponsive or crash, effectively denying legitimate users access to the service. This is a local-level vulnerability, meaning an attacker needs some degree of system access to trigger the condition.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
CAI Content Credentials versions [email protected], c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-47904 is an Uncontrolled Resource Consumption vulnerability (CWE-400) affecting Adobe's c2pa-web and c2pa libraries at version 0.7.1 and earlier for c2pa-web, and v0.80.1 and earlier for c2pa respectively. The vulnerability allows an unauthenticated, local attacker to exhaust CPU, memory, or other critical system resources, leading to a denial-of-service condition. No user interaction is required; the vulnerability can be triggered through crafted input or direct API calls. The CVSS v3.1 score of 6.2 (Medium) reflects that while availability impact is high, the attack vector is localized and requires local system access.
Business impact
Organizations embedding CAI Content Credentials in applications face operational disruption risk. A successful exploitation could render authentication or content verification services unavailable, disrupting workflows that depend on digital content provenance tracking. While the attack surface is limited to local attackers, in multi-tenant or cloud-deployed scenarios, a compromised or malicious user account could impact service availability for all tenants. For media, publishing, and enterprise organizations relying on CAI for authenticity verification, downtime directly affects content trust operations.
Affected systems
The vulnerability affects Adobe's Content Credentials libraries: c2pa-web versions 0.7.1 and earlier, and c2pa versions 0.80.1 and earlier. Both are actively used in web applications and services for embedding content authenticity claims. Any application or service bundling these versions is in scope. Organizations should inventory deployments of these libraries, particularly in production environments, and note their current pinned versions.
Exploitability
Exploitation requires local system access; remote attackers cannot directly trigger this vulnerability over a network. The attack has low complexity and requires no elevated privileges or user interaction, making it straightforward for any local process or authenticated user to execute. The barrier to exploitation is modest once system access is established, but the attack surface is confined to local threat actors.
Remediation
Upgrade c2pa-web to a version released after 0.7.1 and c2pa to a version released after 0.80.1. Verify the specific patched versions in Adobe's security advisory before deployment. Additionally, implement resource quotas and monitoring on systems running these libraries to detect and mitigate resource exhaustion patterns in real time.
Patch guidance
Check Adobe's security advisory for the exact patched versions of both c2pa and c2pa-web released after the vulnerable versions cited. Update your package manager dependencies (npm, yarn, or equivalent) to pull the patched release. Test the upgrade in a non-production environment first, as Content Credentials libraries may interact with other components in your authentication or verification pipeline. Consider automated dependency scanning in your CI/CD to catch outdated versions.
Detection guidance
Monitor system resource utilization (CPU, memory, file descriptors) for sudden spikes or sustained high consumption correlating with requests to services using CAI Content Credentials. Log any resource exhaustion errors or out-of-memory conditions in applications using c2pa-web or c2pa. If you have access to application logs, look for patterns of large or malformed credential processing requests that precede resource exhaustion events. Implement alerting on abnormal process behavior tied to credential verification workflows.
Why prioritize this
Although rated Medium severity, organizations should prioritize patching based on their deployment model. If c2pa-web or c2pa is embedded in a customer-facing or internally critical service, a local attacker gaining system access could halt content verification and authentication workflows. In multi-tenant SaaS environments, the risk escalates because one malicious tenant could impact availability for others. Prioritize patching if the library is in production, exposed to untrusted input, or handles sensitive content authenticity operations.
Risk score, explained
The CVSS 6.2 Medium score reflects high availability impact (complete denial of service) offset by a local attack vector and no privileges required. The vulnerability does not compromise confidentiality or integrity, only availability. In isolated or single-user systems, the risk is lower; in shared or cloud environments where multiple users or applications run on the same infrastructure, the practical risk is higher because a low-privilege attacker can impact other users' services.
Frequently asked questions
Can this vulnerability be exploited remotely?
No. The attack vector is local (AV:L), meaning an attacker must have some form of access to the system running the vulnerable library. Remote exploitation over a network is not possible.
Does exploitation require admin or root privileges?
No. The vulnerability requires no privileges (PR:N), so any local user or process can trigger the resource exhaustion. This includes unprivileged container users or low-privilege application accounts.
What versions of CAI Content Credentials are affected?
c2pa-web versions 0.7.1 and earlier, and c2pa versions 0.80.1 and earlier are vulnerable. Consult Adobe's security advisory to identify the first patched version for your library and verify before upgrade.
Is this vulnerability being actively exploited in the wild?
This vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update, indicating no confirmed active exploitation in public attacks or malware campaigns at this time.
This analysis is based on publicly disclosed vulnerability data current as of June 2026. Patch versions, exploit status, and affected product versions are subject to vendor updates. Organizations should verify all patch versions against Adobe's official security advisory before deployment. This document is for informational purposes and does not constitute legal, technical, or security advice. SEC.co makes no warranty regarding completeness or accuracy and recommends independent verification and testing in your environment before applying any mitigation. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-47902MEDIUMCAI Content Credentials Resource Exhaustion Denial-of-Service
- CVE-2026-47905MEDIUMAdobe C2PA Resource Exhaustion Denial of Service Vulnerability
- CVE-2026-34713HIGHAdobe CAI Content Credentials Denial-of-Service Vulnerability
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS
- CVE-2026-0042MEDIUMAndroid UBSan Resource Exhaustion Denial of Service
- CVE-2026-0069MEDIUMAndroid Resource Exhaustion in APK Signature Verification