PT-2026-3869 · Cvat · Cvat

Arkmarta

Published

2026-01-21

Updated

2026-02-17

CVE-2026-23526

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions CVAT versions 1.0.0 through 2.54.0

Description CVAT is an open source interactive video and image annotation tool for computer vision. Users with staff status can modify their permissions, including granting themselves superuser status and joining the admin group, which provides full access to the data within the CVAT instance.

Recommendations Versions prior to 2.55.0 should be updated. Review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges as a workaround.

Exploit

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-267

Related Identifiers

CVE-2026-23526

GHSA-7PVV-W55F-QMW7

Affected Products

Cvat

PT-2026-3869 · Cvat · Cvat

CVE-2026-23526

Weakness Enumeration

Related Identifiers

Affected Products

References · 8