CVE-2026-2108
Unknown Unknown - Not Provided
Denial of Service in jsbroks COCO Annotator /api/info/long_task Endpoint

Publication date: 2026-02-07

Last updated on: 2026-02-27

Assigner: VulDB

Description
A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-07
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-07
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2108
EUVD
EUVD-2026-5719
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jsbroks coco_annotator to 0.11.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-404 The product does not release or incorrectly releases a resource before it is made available for re-use.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2108 is a denial of service (DoS) vulnerability found in jsbroks COCO Annotator versions up to 0.11.1. The issue exists in the endpoint /api/info/long_task, which is exposed without authentication or rate limiting.

The vulnerability arises because the endpoint allows any remote user to enqueue Celery background tasks and create database entries on every request. This leads to resource exhaustion as the system becomes overwhelmed by excessive task creation and database bloat.

An attacker can flood the endpoint with repeated requests, causing the application to become unresponsive and remain unusable even after the attack stops. The root cause is improper handling of resources and lack of security controls such as authentication and rate limiting.

Impact Analysis

This vulnerability impacts system availability by causing a denial of service condition remotely without requiring authentication.

An attacker can flood the vulnerable endpoint with millions of requests, overwhelming the Celery task queue and database, which results in the application becoming unresponsive.

Even after the attack stops, the system remains unusable due to the backlog of tasks and database overload, disrupting normal operations and potentially causing significant downtime.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring the behavior of the `/api/info/long_task` endpoint for signs of abuse or resource exhaustion. Symptoms include the frontend becoming unresponsive with indefinite loading spinners, HTTP requests slowing or failing, and system logs showing massive task creation and database inserts.

You can check the length of the Celery task queue using the Redis command to see if it is growing uncontrollably:

  • redis-cli LLEN celery

Additionally, a proof-of-concept attack involves flooding the endpoint with many parallel requests. To simulate or detect such activity, you might use a command like:

  • seq 1 9999999 | xargs -n1 -P50 curl -s http://localhost:5001/api/info/long_task

Monitoring for unusually high numbers of requests to this endpoint or sudden spikes in task creation and database entries can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves applying restrictive firewall rules to block or limit access to the vulnerable endpoint `/api/info/long_task`.

Since the vulnerability allows unauthenticated remote denial of service by flooding the task queue, restricting network access to trusted sources or internal networks can prevent exploitation.

Implementing authentication and rate limiting on the endpoint would be a longer-term fix, but as an immediate step, network-level controls are recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart