CVE-2026-7681
Authorization Bypass in COCO Annotator Dataset API
Publication date: 2026-05-03
Last updated on: 2026-05-05
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jsbroks | coco_annotator | to 0.11.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the jsbroks COCO Annotator software, specifically in the Dataset API component within the file backend/webserver/api/datasets.py. It involves manipulation of the DatasetId argument, which leads to an authorization bypass. This means an attacker can remotely exploit this flaw to gain unauthorized access or perform actions without proper permissions.
How can this vulnerability impact me? :
The vulnerability allows an attacker to bypass authorization controls remotely, potentially enabling them to perform unauthorized actions or access data within the Dataset API. This can lead to integrity and availability impacts, such as unauthorized modification or disruption of data or services.