CVE-2026-2108 Overview
A denial of service vulnerability has been identified in jsbroks COCO Annotator up to version 0.11.1. This vulnerability affects the /api/info/long_task endpoint, allowing remote attackers to initiate a task queue flood that causes service disruption. The vulnerability has been publicly disclosed, and the vendor was contacted but did not respond to the disclosure.
Critical Impact
Unauthenticated remote attackers can flood the task queue and cause denial of service, potentially disrupting annotation workflows and machine learning data preparation pipelines.
Affected Products
- jsbroks COCO Annotator up to version 0.11.1
- Installations with exposed /api/info/long_task endpoint
- Network-accessible COCO Annotator deployments
Discovery Timeline
- 2026-02-07 - CVE-2026-2108 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-2108
Vulnerability Analysis
This vulnerability is classified as CWE-404 (Improper Resource Shutdown or Release), indicating that the application fails to properly manage resources when handling requests to the /api/info/long_task endpoint. The vulnerability allows unauthenticated attackers to remotely trigger resource exhaustion through repeated requests that flood the task queue system.
The attack is network-based and requires no authentication or user interaction, making it accessible to any remote attacker who can reach the vulnerable endpoint. The impact is limited to availability, with no direct compromise of confidentiality or integrity.
Root Cause
The root cause lies in improper resource management within the task queue handling mechanism. The /api/info/long_task endpoint does not implement adequate rate limiting or authentication controls, allowing unlimited task creation requests from unauthenticated users. This design flaw enables attackers to overwhelm the system's task processing capabilities.
Attack Vector
The attack is initiated remotely via the network by sending repeated HTTP requests to the /api/info/long_task endpoint. Without proper access controls or rate limiting, an attacker can flood the task queue with malicious requests, exhausting system resources and causing legitimate requests to be delayed or dropped entirely.
The vulnerability mechanism involves sending unauthenticated requests to the long task endpoint, which queues processing jobs without validation. When the queue is flooded with excessive requests, the system becomes unable to process legitimate annotation tasks, resulting in denial of service. Technical details are available in the GitHub Vulnerability Research report.
Detection Methods for CVE-2026-2108
Indicators of Compromise
- Unusual spike in HTTP requests to the /api/info/long_task endpoint
- Task queue depth growing abnormally or becoming unresponsive
- System resource exhaustion (CPU, memory) correlated with API traffic patterns
- Multiple rapid requests from single IP addresses or unusual geographic sources
Detection Strategies
- Monitor web server access logs for high-frequency requests to /api/info/long_task
- Implement application-level logging to track task queue depth and processing times
- Deploy network traffic analysis to detect anomalous request patterns targeting the vulnerable endpoint
- Configure alerting for sudden increases in pending task count
Monitoring Recommendations
- Set up real-time monitoring for the COCO Annotator task queue metrics
- Establish baseline request rates and alert on deviations exceeding normal thresholds
- Monitor system resource utilization for signs of resource exhaustion attacks
- Review web application firewall logs for blocked or suspicious requests to API endpoints
How to Mitigate CVE-2026-2108
Immediate Actions Required
- Restrict network access to COCO Annotator instances to trusted IP ranges only
- Implement authentication requirements for the /api/info/long_task endpoint
- Deploy rate limiting at the reverse proxy or web application firewall level
- Consider temporarily disabling the vulnerable endpoint if not critical to operations
Patch Information
No official patch has been released by the vendor. The vendor was contacted about this disclosure but did not respond. Users should implement defensive measures and monitor the VulDB entry for updates on any future patches or vendor response.
Workarounds
- Place COCO Annotator behind a reverse proxy with rate limiting configured
- Implement IP-based access controls to restrict API access to trusted networks
- Deploy a web application firewall with rules to detect and block request flooding patterns
- Consider network segmentation to isolate annotation services from untrusted network segments
# Example nginx rate limiting configuration
# Add to server or location block for /api/info/long_task
limit_req_zone $binary_remote_addr zone=task_limit:10m rate=10r/s;
location /api/info/long_task {
limit_req zone=task_limit burst=20 nodelay;
# Additional authentication recommended
proxy_pass http://coco_annotator_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
