CVE-2026-2108
Denial of Service in jsbroks COCO Annotator /api/info/long_task Endpoint
Publication date: 2026-02-07
Last updated on: 2026-02-27
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jsbroks | coco_annotator | to 0.11.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2108 is a denial of service (DoS) vulnerability found in jsbroks COCO Annotator versions up to 0.11.1. The issue exists in the endpoint /api/info/long_task, which is exposed without authentication or rate limiting.
The vulnerability arises because the endpoint allows any remote user to enqueue Celery background tasks and create database entries on every request. This leads to resource exhaustion as the system becomes overwhelmed by excessive task creation and database bloat.
An attacker can flood the endpoint with repeated requests, causing the application to become unresponsive and remain unusable even after the attack stops. The root cause is improper handling of resources and lack of security controls such as authentication and rate limiting.
How can this vulnerability impact me? :
This vulnerability impacts system availability by causing a denial of service condition remotely without requiring authentication.
An attacker can flood the vulnerable endpoint with millions of requests, overwhelming the Celery task queue and database, which results in the application becoming unresponsive.
Even after the attack stops, the system remains unusable due to the backlog of tasks and database overload, disrupting normal operations and potentially causing significant downtime.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring the behavior of the `/api/info/long_task` endpoint for signs of abuse or resource exhaustion. Symptoms include the frontend becoming unresponsive with indefinite loading spinners, HTTP requests slowing or failing, and system logs showing massive task creation and database inserts.
You can check the length of the Celery task queue using the Redis command to see if it is growing uncontrollably:
- redis-cli LLEN celery
Additionally, a proof-of-concept attack involves flooding the endpoint with many parallel requests. To simulate or detect such activity, you might use a command like:
- seq 1 9999999 | xargs -n1 -P50 curl -s http://localhost:5001/api/info/long_task
Monitoring for unusually high numbers of requests to this endpoint or sudden spikes in task creation and database entries can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves applying restrictive firewall rules to block or limit access to the vulnerable endpoint `/api/info/long_task`.
Since the vulnerability allows unauthenticated remote denial of service by flooding the task queue, restricting network access to trusted sources or internal networks can prevent exploitation.
Implementing authentication and rate limiting on the endpoint would be a longer-term fix, but as an immediate step, network-level controls are recommended.