PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-58373 cvat-ai CVE debrief

The Computer Vision Annotation Tool (CVAT) contains an improper authorization vulnerability, tracked as CVE-2026-58373, affecting CVAT versions before 2.69.0. This issue allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. The vulnerability has a CVSS score of 5.3 and is considered medium severity. Users of CVAT versions prior to 2.69.0 should apply patches to prevent unauthorized enumeration of quality report identifiers. The CVAT project has addressed this issue in version 2.69.0.

Vendor
cvat-ai
Product
cvat
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-30
Original CVE updated
2026-07-13
Advisory published
2026-06-30
Advisory updated
2026-07-13

Who should care

Users of Computer Vision Annotation Tool (CVAT) versions prior to 2.69.0 should apply patches to prevent unauthorized enumeration of quality report identifiers. This includes operators, administrators, and security teams managing CVAT deployments. Additionally, vulnerability management teams should review and implement secure coding practices to prevent similar vulnerabilities in the future.

Technical summary

The CVAT tool, used for annotating video and images for machine learning models, contains an improper authorization vulnerability. This vulnerability, tracked as CVE-2026-58373, affects CVAT versions before 2.69.0. The issue lies in the QualityReportViewSet.get_queryset method, where a missing call to check_object_permissions on the parent_id query parameter of the quality reports API endpoint allows authenticated attackers to enumerate quality report identifiers belonging to other organizations. By sending requests with sequential integer parent_id values, attackers can distinguish between existing and non-existing reports based on HTTP response codes (HTTP 500 for existing, HTTP 404 for non-existing), thereby disclosing the existence of cross-organization reports without exposing report content.

Defensive priority

Medium priority due to the CVSS score of 5.3 and the potential for attackers to exploit this vulnerability to gather information about reports across different organizations.

Recommended defensive actions

  • Apply the patch from https://github.com/cvat-ai/cvat/commit/27953f19d2265f8b495369f816730a7452db791b
  • Upgrade to CVAT version 2.69.0 or later as detailed in https://github.com/cvat-ai/cvat/releases/tag/v2.69.0
  • Review and implement secure coding practices to prevent similar vulnerabilities in the future
  • Monitor for suspicious API requests that could indicate exploitation attempts
  • Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent exploitation

Evidence notes

The CVE record and NVD entry provide details about the vulnerability. The CVAT project has addressed this issue in version 2.69.0. Additional information can be found in the references provided. Evidence limits suggest that defenders verify CVAT version deployments, review API request logs for potential exploitation attempts, and consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent exploitation. The vulnerability allows attackers to distinguish between existing and non-existing reports via HTTP response codes, disclosing cross-organization report existence without returning report content.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-30T17:16:25.597Z and has not been modified since then.