CVE-2026-34713: CAI Content Credentials | Uncontrolled Resource Consumption (CWE-400)
CAI Content Credentials versions c2pa-web@0.7.1, c2pa-v0.80.1 and earlier are affected by an Uncontrolled Resource Consumption vulnerability. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application denial-of-service condition. Exploitation of this issue does not require user interaction.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Uncontrolled resource consumption in CAI Content Credentials (c2pa-v0.80.1 and earlier, c2pa-web@0.7.1 and earlier) allows a remote, unauthenticated attacker to exhaust system resources by sending crafted requests over the network. No user interaction is required to trigger the condition. Successful exploitation causes a denial-of-service, taking the affected service offline. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Adobe publishes a fix version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle the affected c2pa library.
AvailableHarborGuard scores this finding at CVSS 7.5 (HIGH) and weights it against each environment's compliance policy to determine priority routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no fix version has been published yet, HarborGuard re-checks the Adobe advisory on every ingest cycle. The moment an upstream patch is released, a patched-image rebuild will become available, and customers with auto-remediation enabled will automatically receive a rebuilt image, a regression test run, and a pull request opened against affected workloads.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected service over the network; no local access or physical proximity is needed.
- AuthenticationNot required
No credentials or account of any privilege level are needed to send the resource-exhausting payload.
- Victim interactionNot required
The attacker triggers the vulnerability entirely through their own requests; no action from a user or operator is required.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or environment-specific prerequisites to satisfy.
Blast Radius
- The targeted service becomes unresponsive, denying access to all users and dependent systems for the duration of the attack.
- System resources (CPU, memory, or file descriptors) are exhausted, which can destabilize co-located workloads or sidecar containers sharing the same node.
- No confidential data is read and no data is modified; impact is confined to availability.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-34713 is active across all connected registries and pipelines, matching images that include c2pa-v0.80.1 or c2pa-web@0.7.1. Because Adobe has not yet published a fix version, HarborGuard monitors the advisory on every ingest cycle. When a patch is released upstream, a patched-image rebuild will become immediately available. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a pull request opened against affected workloads automatically. While no patch exists, compensating controls worth considering include network-policy rules that restrict unauthenticated external traffic to endpoints backed by the c2pa library, rate-limiting or request-size caps at the ingress or load-balancer layer, and feature-flag gating to disable content-credential processing for untrusted input sources until the upstream fix is available.
- Adobe / CAI Content Credentials≤ c2pa-v0.80.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H