VYPR
patchPublished Jun 9, 2026· Updated Jun 10, 2026· 1 source

Adobe CAI Content Credentials: Seven DoS and Path Traversal Flaws Disclosed

Key findings • Seven vulnerabilities disclosed for Adobe CAI Content Credentials on June 9, 2026. • Two high-severity (7.5 CVSSv3) denial-of-service flaws identified. • Five medium-severi…

Key findings

  • Seven vulnerabilities disclosed for Adobe CAI Content Credentials on June 9, 2026.
  • Two high-severity (7.5 CVSSv3) denial-of-service flaws identified.
  • Five medium-severity (6.2 CVSSv3) denial-of-service flaws also disclosed.
  • One medium-severity path traversal vulnerability allowing arbitrary file writes.
  • All vulnerabilities affect versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier.
  • Patches are available; users urged to update promptly.

Adobe's CAI Content Credentials product was found to be affected by seven vulnerabilities, all disclosed on June 9, 2026. The batch of security issues includes two high-severity flaws and five medium-severity bugs, primarily impacting versions prior to c2pa-web@0.7.1 and c2pa-v0.80.1. The vulnerabilities predominantly lead to denial-of-service (DoS) conditions, with one notable exception involving path traversal.

Four of the disclosed vulnerabilities, CVE-2026-47905, CVE-2026-47904, CVE-2026-47902, and CVE-2026-47903, are categorized as medium severity with a CVSSv3 score of 6.2. These issues stem from either Uncontrolled Resource Consumption or Improper Input Validation, both of which can be exploited by an attacker to exhaust system resources or crash the application, resulting in a denial-of-service condition. Exploitation of these particular flaws does not require user interaction or complex prerequisites.

Two high-severity vulnerabilities, CVE-2026-34711 and CVE-2026-34712, were also part of this disclosure. Both carry a CVSSv3 score of 7.5 and are related to Improper Input Validation and Integer Overflow or Wraparound, respectively. Similar to the medium-severity bugs, these vulnerabilities can lead to application crashes and denial-of-service conditions, with no user interaction required for exploitation.

A distinct vulnerability, CVE-2026-34657, rated as medium severity with a CVSSv3 score of 5.5, presents a different threat. This flaw is an Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal. An attacker could exploit this to write to unauthorized files on the file system, potentially leading to system compromise or data corruption.

All seven vulnerabilities affect the same range of versions: c2pa-web@0.7.1, c2pa-v0.80.1, and earlier. Adobe has addressed these issues, and users are advised to update to patched versions to mitigate the risks associated with these vulnerabilities. Specific patch versions are available through Adobe's security advisories.

The coordinated disclosure of these vulnerabilities highlights potential weaknesses in resource management and input validation within the CAI Content Credentials product. Users should prioritize updating their installations to the latest secure versions to prevent potential denial-of-service attacks and unauthorized file system writes.

Synthesized by Vypr AI