PT-2026-53931 · Cvat Ai · Cvat
George Chen
·
Published
2026-06-30
·
Updated
2026-06-30
·
CVE-2026-58373
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check object permissions call on the parent id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cvat