PatchSiren cyber security CVE debrief
CVE-2026-58373 cvat-ai CVE debrief
The Computer Vision Annotation Tool (CVAT) contains an improper authorization vulnerability, tracked as CVE-2026-58373, affecting CVAT versions before 2.69.0. This issue allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. The vulnerability has a CVSS score of 5.3 and is considered medium severity. Users of CVAT versions prior to 2.69.0 should apply patches to prevent unauthorized enumeration of quality report identifiers. The CVAT project has addressed this issue in version 2.69.0.
- Vendor
- cvat-ai
- Product
- cvat
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-30
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-06-30
- Advisory updated
- 2026-07-13
Who should care
Users of Computer Vision Annotation Tool (CVAT) versions prior to 2.69.0 should apply patches to prevent unauthorized enumeration of quality report identifiers. This includes operators, administrators, and security teams managing CVAT deployments. Additionally, vulnerability management teams should review and implement secure coding practices to prevent similar vulnerabilities in the future.
Technical summary
The CVAT tool, used for annotating video and images for machine learning models, contains an improper authorization vulnerability. This vulnerability, tracked as CVE-2026-58373, affects CVAT versions before 2.69.0. The issue lies in the QualityReportViewSet.get_queryset method, where a missing call to check_object_permissions on the parent_id query parameter of the quality reports API endpoint allows authenticated attackers to enumerate quality report identifiers belonging to other organizations. By sending requests with sequential integer parent_id values, attackers can distinguish between existing and non-existing reports based on HTTP response codes (HTTP 500 for existing, HTTP 404 for non-existing), thereby disclosing the existence of cross-organization reports without exposing report content.
Defensive priority
Medium priority due to the CVSS score of 5.3 and the potential for attackers to exploit this vulnerability to gather information about reports across different organizations.
Recommended defensive actions
- Apply the patch from https://github.com/cvat-ai/cvat/commit/27953f19d2265f8b495369f816730a7452db791b
- Upgrade to CVAT version 2.69.0 or later as detailed in https://github.com/cvat-ai/cvat/releases/tag/v2.69.0
- Review and implement secure coding practices to prevent similar vulnerabilities in the future
- Monitor for suspicious API requests that could indicate exploitation attempts
- Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent exploitation
Evidence notes
The CVE record and NVD entry provide details about the vulnerability. The CVAT project has addressed this issue in version 2.69.0. Additional information can be found in the references provided. Evidence limits suggest that defenders verify CVAT version deployments, review API request logs for potential exploitation attempts, and consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent exploitation. The vulnerability allows attackers to distinguish between existing and non-existing reports via HTTP response codes, disclosing cross-organization report existence without returning report content.
Official resources
-
CVE-2026-58373 CVE record
CVE.org
-
CVE-2026-58373 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Patch
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Patch
-
Mitigation or vendor reference
[email protected] - Release Notes
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-30T17:16:25.597Z and has not been modified since then.