Industry News • Updated February 27, 2026
Nikon Cameras C2PA Support: The Z6 III Vulnerability and Service Suspension
Current status: The Nikon Authenticity Service is suspended as of early 2026. All previously issued C2PA certificates have been revoked. No Nikon camera currently has active C2PA support.
TL;DR
- Nikon Z6 III received C2PA support via firmware 2.00 on August 27, 2025 — the first Nikon camera to do so
- A critical vulnerability was discovered days later: Multiple Exposure mode could produce fraudulently signed photos that passed authentication
- Nikon suspended the Authenticity Service on September 5, 2025
- Nikon revoked all C2PA certificates issued since launch on September 21, 2025
- A full fix requires changes to C2PA validation tools — beyond Nikon alone
- As of early 2026, the service remains suspended with no confirmed restoration date
Nikon became the first major mirrorless camera manufacturer to ship C2PA Content Credentials in a Z-series camera when it released firmware 2.00 for the Z6 III on August 27, 2025. Less than two weeks later, a photographer discovered a critical vulnerability that allowed forged images to pass authentication. Nikon suspended the service, revoked every certificate ever issued, and as of early 2026 the Nikon Authenticity Service remains offline.
Disclaimer: This article is an independent analysis based on public reporting from PetaPixel, Digital Camera World, and Nikon Rumors. C2PA Viewer is not affiliated with Nikon or the C2PA coalition.
August 2025: Nikon Adds C2PA to the Z6 III
Firmware version 2.00 for the Nikon Z6 III, released August 27, 2025, was a significant update: it added Bird AF, Auto Capture, and — most notably — a C2PA-compliant provenance recording function through a new Nikon Authenticity Service.
The implementation worked through Nikon's cloud-based signing infrastructure. Unlike the Leica M11-P, which uses a dedicated on-device security chip to sign photos entirely offline, the Z6 III's C2PA implementation relied on the Nikon Imaging Cloud to issue and manage certificates. Photos taken with C2PA enabled would carry a manifest backed by Nikon's certificate authority.
September 4, 2025: The Vulnerability Discovered
Within days of launch, a photographer identified publicly as Horshack discovered and disclosed a significant security flaw. The Z6 III's Multiple Exposure mode — which composites multiple frames into a single image in-camera — could be used to bypass C2PA authentication.
Specifically, it was possible to combine frames from multiple sources, including frames from cameras not enrolled in the Nikon Authenticity Service, and produce a final JPEG that would pass Nikon's C2PA signature verification as a legitimate authenticated image.
What This Means in Practice
A bad actor with a Z6 III and access to the C2PA feature could composite an unrelated or fabricated image into a Multiple Exposure sequence and produce a file bearing a valid Nikon C2PA signature. The signed manifest would indicate the photo was captured authentically — even if the result was a fabrication. This directly undermines the core promise of C2PA provenance.
Nikon confirmed the issue the same day, describing it as “a technical issue with the provenance recording function” in firmware 2.00.
September 5–21, 2025: Suspension and Full Certificate Revocation
On September 5, 2025, Nikon announced a temporary suspension of the Nikon Authenticity Service while it worked on a resolution. Users were advised to stop using the C2PA signing feature.
On September 21, Nikon issued a further notice with more serious implications: it would revoke all C2PA certificates issued since the service launched in late August. This meant that every photo ever signed through the Nikon Authenticity Service — even legitimate, unmanipulated captures — would have its credential invalidated.
Revocation was the correct call. Because the vulnerability existed from day one, there was no way to distinguish legitimate signed photos from potentially fraudulent ones. The entire corpus of Nikon-signed C2PA photos was compromised by the flaw's existence.
Why Nikon Cannot Fix This Alone
A September 22, 2025 report by PetaPixel revealed a complication that extends beyond Nikon's own engineering: a complete fix requires changes to C2PA validation tools, not just Nikon firmware.
The root issue is that the C2PA specification and its validator implementations did not anticipate camera-level in-camera compositing modes like Multiple Exposure. The validators check that the signed content matches the manifest, but they have no mechanism to detect that a signed composite image contains frames from unauthorized sources — because that information is not exposed in the manifest format.
Fixing this requires either changes to the C2PA specification to mandate disclosure of composite operations, or changes to camera firmware to block signing during any compositing mode. The former is an industry-wide standards change; the latter is a feature restriction that Nikon could implement unilaterally but which does not solve the validator-side trust gap.
Nikon C2PA vs. Other Camera Implementations
The Nikon situation highlights a meaningful architectural difference between camera C2PA implementations:
| Camera | Signing Model | Key Storage | C2PA Status (Early 2026) |
|---|---|---|---|
| Nikon Z6 III | Cloud (Nikon Imaging Cloud) | Cloud-issued certificates | Suspended — all certs revoked |
| Leica M11-P | On-device (dedicated security chip) | Hardware security element | Active |
| Sony α9 III / α1 II | Cloud (Sony Imaging Edge) | Cloud-issued certificates | Active (opt-in) |
| Google Pixel 10 | On-device (Titan M2 chip) | Hardware security module | Active |
The pattern is clear: cloud-based signing architectures introduce a dependency on external infrastructure and, as the Nikon case shows, a larger attack surface. On-device hardware signing (Leica, Google Pixel) is more resilient because the signing key never leaves the device and compositing operations happen after the key has already committed to the original frame.
Current Status (Early 2026)
As of February 2026, the Nikon Authenticity Service remains suspended. Nikon has stated it will announce the resumption of service once corrective measures are complete, but has not published a timeline.
Any Nikon Z6 III photo with a C2PA manifest signed before the suspension should be treated as unverified. The certificates backing those signatures have been formally revoked and will fail validation in compliant C2PA tools, including C2PA Viewer.
Frequently Asked Questions
Do Nikon cameras currently support C2PA?
As of early 2026, no. Nikon added C2PA to the Z6 III via firmware 2.00 in August 2025, but suspended the Nikon Authenticity Service in September 2025 after a critical security vulnerability was discovered. All previously issued C2PA certificates were revoked. The service had not been restored as of early 2026.
What was the Nikon Z6 III C2PA vulnerability?
The vulnerability allowed Multiple Exposure mode on the Z6 III to combine images — including images from non-C2PA-enabled cameras — and produce a file that passed Nikon's C2PA authentication checks. Fraudulently assembled images could be signed as if they were genuine single captures.
Why did Nikon revoke all C2PA certificates?
Because the vulnerability existed from the service launch date, there was no way to distinguish legitimate signed photos from potentially fraudulent ones. Revoking all certificates removes any false sense of trust in photos signed during the vulnerable period.
Can Nikon fix the vulnerability alone?
According to PetaPixel's September 2025 reporting, a complete fix requires changes not just to Nikon's firmware but to C2PA validation tools themselves — a systemic challenge beyond any single manufacturer's control.
Which other Nikon cameras support C2PA?
The Z6 III was the only Nikon camera to receive C2PA support, and that support is currently suspended. No other Nikon Z-series body has shipped with C2PA functionality as of early 2026.
Verify a Photo's C2PA Status
Drop any photo into C2PA Viewer to check whether its credentials are valid, revoked, or absent — all processed locally, no upload required. Revoked Nikon certificates will be flagged.
Check Credentials →