PT-2026-53931 · Cvat Ai · Cvat

George Chen

·

Published

2026-06-30

·

Updated

2026-06-30

·

CVE-2026-58373

CVSS v3.1

4.3

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check object permissions call on the parent id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58373

Affected Products

Cvat