← Voltar para CVEs
CVE-2026-23526
HIGH8.8
Descricao
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges.
Detalhes CVE
Pontuacao CVSS v3.18.8
SeveridadeHIGH
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado1/21/2026
Ultima modificacao2/20/2026
Fontenvd
Avistamentos honeypot0
Produtos afetados
cvat:computer_vision_annotation_tool
Fraquezas (CWE)
CWE-267
Referencias
https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4(security-advisories@github.com)
https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7(security-advisories@github.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.