CVE-2026-23526
Unknown Unknown - Not Provided
Privilege Escalation in CVAT via Staff Permission Misconfiguration

Publication date: 2026-01-21

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-02-20
Generated
2026-05-07
AI Q&A
2026-01-22
EPSS Evaluated
2026-05-05
NVD
CVE-2026-23526
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
cvat computer_vision_annotation_tool From 1.0.0 (inc) to 2.55.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-267 A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

In CVAT versions 1.0.0 through 2.54.0, users with staff status can change their own permissions, including granting themselves superuser status and joining the admin group. This allows them full access to all data in the CVAT instance, which is a security flaw. The issue is fixed in version 2.55.0.


How can this vulnerability impact me? :

This vulnerability allows staff users to escalate their privileges to superuser and admin levels, potentially gaining unauthorized full access to sensitive data within the CVAT instance. This can lead to data breaches, unauthorized data modification, and loss of control over the system.


What immediate steps should I take to mitigate this vulnerability?

Review the list of users with staff status in your CVAT instance and revoke staff status from any users who should not have superuser privileges. Additionally, upgrade CVAT to version 2.55.0 or later, where this issue is fixed.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

To detect this vulnerability, review the list of users with staff status in your CVAT instance. Check if any users have staff status who should not have superuser privileges. There are no specific network detection commands provided. As a workaround, revoke staff status from any unauthorized users. Since CVAT is a web application, you may need to access the user management interface or database to list users and their roles.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart