Bulletin ID
Security updates available for Content Credentials SDK | APSB26-80
|
|
Date Published |
Priority |
|
APSB26-80 |
July 14, 2026 |
3 |
Summary
Adobe has released security updates for Content Credentials SDK. This update addresses critical and important vulnerabilities that could result in arbitrary code execution, application denial-of-service, arbitrary file system read, security feature bypass, and privilege escalation.
Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.
Affected versions
| Product | Affected version | Platform |
|---|---|---|
| Content Credentials Rust SDK | c2pa-v0.84.0 and earlier | Windows, macOS, Linux, iOS, Android |
| Content Credentials Command-Line Tool | c2patool-v0.17.0 and earlier | Windows, macOS, Linux, iOS, Android |
| Content Credentials JS SDK | @contentauth/c2pa-web@0.7.0 and earlier | Windows, macOS, Linux, iOS, Android |
Solution
Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version:
| Product | Updated version | Platform | Priority rating | Availability |
|---|---|---|---|---|
| Content Credentials Rust SDK |
c2pa-v0.85.2 | Windows, macOS, Linux, iOS, Android | 3 | Release Notes |
| Content Credentials Command-Line Tool |
c2patool-v0.26.65 | Windows, macOS, Linux, iOS, Android | 3 | Release Notes |
| Content Credentials JS SDK |
@contentauth/c2pa-web@0.9.0 | Windows, macOS, Linux, iOS, Android | 3 | Release Notes |
Vulnerability Details
| Vulnerability Category | Vulnerability Impact | Severity | CVSS base score | CVSS vector | CVE Number |
| Server-Side Request Forgery (SSRF) (CWE-918) | Privilege escalation | Critical | 8.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N | CVE-2026-48290 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Critical | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-48351 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Critical | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-48352 |
| Insufficiently Protected Credentials (CWE-522) | Privilege escalation | Critical | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | CVE-2026-48295 |
| Untrusted Search Path (CWE-426) | Arbitrary code execution | Critical | 7.4 | CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N | CVE-2026-48287 |
| Improper Input Validation (CWE-20) | Security feature bypass | Important | 6.8 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N | CVE-2026-48312 |
| Integer Overflow or Wraparound (CWE-190) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-48354 |
| Uncontrolled Resource Consumption (CWE-400) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-48357 |
| Integer Underflow (Wrap or Wraparound) (CWE-191) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-48296 |
| Integer Underflow (Wrap or Wraparound) (CWE-191) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-48298 |
| Improper Input Validation (CWE-20) | Application denial-of-service | Important | 6.2 | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | CVE-2026-48302 |
| Improper Input Validation (CWE-20) | Arbitrary file system read | Important | 5.5 | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N | CVE-2026-48353 |
Acknowledgments
Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.
- sneharghyaroy - CVE-2026-48287
- 0x0.eth - CVE-2026-48290
- zerodaygym - CVE-2026-48295
- bau1u - CVE-2026-48296, CVE-2026-48302, CVE-2026-48351, CVE-2026-48352, CVE-2026-48353, CVE-2026-48354
- Astrops - CVE-2026-48298
- Sindid (sndd) - CVE-2026-48312
- Nitish Kumar (stranger825) - CVE-2026-48357
NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check us out here: https://hackerone.com/adobe.
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com