Adobe Security Bulletin

Security updates available for Content Credentials SDK | APSB26-80

Bulletin ID

Date Published

Priority

APSB26-80

July 14, 2026

3

Summary

Adobe has released security updates for Content Credentials SDK. This update addresses critical and important vulnerabilities  that could result in arbitrary code execution, application denial-of-service, arbitrary file system read, security feature bypass, and privilege escalation.

Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.  

Affected versions

Product Affected version Platform
Content Credentials Rust SDK c2pa-v0.84.0 and earlier Windows, macOS, Linux, iOS, Android
Content Credentials Command-Line Tool c2patool-v0.17.0 and earlier Windows, macOS, Linux, iOS, Android
Content Credentials JS SDK @contentauth/c2pa-web@0.7.0 and earlier Windows, macOS, Linux, iOS, Android

Solution

Adobe categorizes these updates with the following priority rating and recommends users update their installation to the newest version:

Product Updated version Platform Priority rating Availability
Content Credentials Rust SDK
c2pa-v0.85.2 Windows, macOS, Linux, iOS, Android 3 Release Notes
Content Credentials Command-Line Tool
c2patool-v0.26.65 Windows, macOS, Linux, iOS, Android 3 Release Notes
Content Credentials JS SDK
@contentauth/c2pa-web@0.9.0 Windows, macOS, Linux, iOS, Android 3 Release Notes

Vulnerability Details

Vulnerability Category Vulnerability Impact Severity CVSS base score CVSS vector CVE Number
Server-Side Request Forgery (SSRF) (CWE-918) Privilege escalation Critical 8.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVE-2026-48290
Improper Input Validation (CWE-20) Application denial-of-service Critical 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-48351
Improper Input Validation (CWE-20) Application denial-of-service Critical 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-48352
Insufficiently Protected Credentials (CWE-522) Privilege escalation Critical 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2026-48295
Untrusted Search Path (CWE-426) Arbitrary code execution Critical 7.4 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVE-2026-48287
Improper Input Validation (CWE-20) Security feature bypass Important 6.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N CVE-2026-48312
Integer Overflow or Wraparound (CWE-190) Application denial-of-service Important 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-48354
Uncontrolled Resource Consumption (CWE-400) Application denial-of-service Important 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-48357
Integer Underflow (Wrap or Wraparound) (CWE-191) Application denial-of-service Important 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-48296
Integer Underflow (Wrap or Wraparound) (CWE-191) Application denial-of-service Important 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-48298
Improper Input Validation (CWE-20) Application denial-of-service Important 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2026-48302
Improper Input Validation (CWE-20) Arbitrary file system read Important 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N CVE-2026-48353

Acknowledgments

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.        

  • sneharghyaroy - CVE-2026-48287 
  • 0x0.eth - CVE-2026-48290 
  • zerodaygym - CVE-2026-48295 
  • bau1u - CVE-2026-48296, CVE-2026-48302, CVE-2026-48351, CVE-2026-48352, CVE-2026-48353, CVE-2026-48354
  • Astrops - CVE-2026-48298  
  • Sindid (sndd) - CVE-2026-48312
  • Nitish Kumar (stranger825) - CVE-2026-48357

NOTE: Adobe has a public bug bounty program with HackerOne. If you are interested in working with Adobe as an external security researcher, please check us out here: https://hackerone.com/adobe.

 

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

Adobe, Inc.

Get help faster and easier

New user?