How is CVE-2026-34712 exploited?

Network reachability (required): The attacker must reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local access or physical proximity is needed. Authentication (not-required): No credentials are needed; the CVSS vector specifies PR:N, so any unauthenticated party who can reach the service can attempt exploitation. Victim interaction (not-required): The exploit fires without any action from a user or operator; the CVSS vector specifies UI:N. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

What is the impact of CVE-2026-34712?

Crashes the affected c2pa application process, taking content-credential verification or signing functionality offline for the duration of the outage. Repeated exploitation can sustain a continuous denial-of-service, preventing any workload that depends on the c2pa service from processing content credentials.

Back to search

HIGHCVE-2026-34712Published 2026-06-09Modified 2026-06-10CNA adobe

CVE-2026-34712: CAI Content Credentials | Improper Input Validation (CWE-20)

CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Improper Input Validation vulnerability. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condition. Exploitation of this issue does not require user interaction.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An improper input validation vulnerability in CAI Content Credentials (c2pa-v0.80.1 and earlier, c2pa-web@0.7.1 and earlier) allows a remote, unauthenticated attacker to crash the application by sending malformed input over the network. No authentication or user interaction is needed to trigger the flaw. Successful exploitation causes a denial-of-service condition, taking the affected service offline. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Adobe publishes a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the affected c2pa library. Any image containing c2pa-v0.80.1 or earlier will surface as affected in the scan results.

Available

Triage

HarborGuard scores this CVE at 7.5 HIGH using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Adobe advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch appears.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the affected service over the network; the CVSS vector specifies AV:N, meaning no local access or physical proximity is needed.
AuthenticationNot required
No credentials are needed; the CVSS vector specifies PR:N, so any unauthenticated party who can reach the service can attempt exploitation.
Victim interactionNot required
The exploit fires without any action from a user or operator; the CVSS vector specifies UI:N.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and requires no special timing, race conditions, or environmental preconditions.

Blast Radius

Crashes the affected c2pa application process, taking content-credential verification or signing functionality offline for the duration of the outage.
Repeated exploitation can sustain a continuous denial-of-service, preventing any workload that depends on the c2pa service from processing content credentials.

How HarborGuard Handles This

Available on HarborGuard: because Adobe has not yet published a fix for this vulnerability, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once an upstream fix version is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy management, specifically by restricting inbound access to services that expose the c2pa library to untrusted input, using egress filtering to limit lateral exposure, and gating the content-credentials feature behind an application-level flag where the service architecture permits it. For customers with auto-remediation enabled, the moment a fix is published the pipeline will produce a rebuilt image, run the regression suite, and open a PR against affected workloads, with median time from CVE fix publication to merged patch PR for high-severity issues running around 90 minutes in those environments.

See how HarborGuard automates this

Affected packages

Adobe / CAI Content Credentials
≤ c2pa-v0.80.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

helpx.adobe.com

Metrics

Get notified