PT-2026-53931 · Cvat Ai · Cvat

George Chen

·

Publicado

2026-06-30

·

Atualizado

2026-06-30

·

CVE-2026-58373

CVSS v3.1

4.3

Média

VetorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check object permissions call on the parent id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.

Correção

Missing Authorization

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-58373

Produtos afetados

Cvat