CVE-2026-2109 Overview
A vulnerability was identified in jsbroks COCO Annotator up to version 0.11.1. The vulnerability affects an unknown function within the /api/undo/ endpoint of the Delete Category Handler component. Manipulation of the argument ID leads to improper authorization, allowing attackers to perform unauthorized actions. This is a Broken Function Level Authorization (BFLA) vulnerability that can be exploited remotely.
Critical Impact
Authenticated attackers can bypass authorization controls to delete or modify categories belonging to other users, potentially causing data integrity issues and unauthorized data manipulation in collaborative annotation projects.
Affected Products
- jsbroks COCO Annotator versions up to and including 0.11.1
- Deployments exposing the /api/undo/ endpoint
- Instances without additional authorization controls on DELETE operations
Discovery Timeline
- February 7, 2026 - CVE-2026-2109 published to NVD
- February 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-2109
Vulnerability Analysis
This vulnerability is classified as CWE-266 (Incorrect Privilege Assignment), specifically manifesting as a Broken Function Level Authorization (BFLA) issue. The Delete Category Handler in COCO Annotator fails to properly validate whether the requesting user has authorization to perform delete operations on the specified category ID. This allows authenticated users to manipulate the ID parameter to target resources belonging to other users or projects.
The vulnerability exists because the application does not implement proper object-level authorization checks when processing DELETE requests to the /api/undo/ endpoint. An attacker with valid low-privileged credentials can modify the ID parameter in their request to reference categories created by other users, effectively bypassing the intended access control model.
Root Cause
The root cause stems from insufficient authorization validation in the Delete Category Handler. The application verifies that a user is authenticated but fails to confirm whether the authenticated user has legitimate ownership or permission to delete the specified category. This is a common API security flaw where authentication is enforced but authorization at the object level is absent.
Attack Vector
The attack can be launched remotely over the network by any authenticated user. The attacker needs to:
- Obtain valid credentials to authenticate with the COCO Annotator instance
- Identify or enumerate valid category IDs belonging to other users
- Send a crafted DELETE request to /api/undo/ with the target category ID
- The server processes the request without verifying ownership, resulting in unauthorized deletion
The vulnerability allows for both integrity violations (unauthorized modification/deletion of data) and potential availability impacts if critical annotation categories are deleted. According to the vulnerability research, the exploit mechanism is publicly documented and may be used by malicious actors.
Detection Methods for CVE-2026-2109
Indicators of Compromise
- Unusual DELETE requests to /api/undo/ endpoint with varying ID parameters from a single user
- Audit log entries showing category deletions by users who did not create those categories
- User complaints about missing annotation categories they did not delete
- Spike in DELETE API calls from specific authenticated sessions
Detection Strategies
- Implement API request logging with user identity correlation to track DELETE operations
- Monitor for sequential or enumerated ID values in DELETE requests to the /api/undo/ endpoint
- Create alerts for DELETE operations targeting resources where the requesting user is not the owner
- Review access patterns for anomalous cross-user resource access attempts
Monitoring Recommendations
- Enable comprehensive audit logging for all DELETE operations in COCO Annotator
- Deploy web application firewall rules to rate-limit DELETE requests to sensitive endpoints
- Implement real-time alerting for authorization failure patterns in API access logs
- Regularly review audit logs for evidence of authorization bypass attempts
How to Mitigate CVE-2026-2109
Immediate Actions Required
- Restrict network access to COCO Annotator instances to trusted users and networks only
- Implement additional authentication layers or IP whitelisting for administrative functions
- Review and audit existing category data for signs of unauthorized modifications or deletions
- Consider disabling the /api/undo/ endpoint if not critical to operations until a patch is available
Patch Information
No official patch has been released by the vendor at this time. According to the vulnerability disclosure, the vendor was contacted early about this issue but did not respond. Organizations using COCO Annotator should monitor the project's GitHub repository for security updates and consider implementing workarounds until an official fix is available.
For more technical details on this vulnerability, refer to the GitHub Vulnerability Research Document and the VulDB advisory.
Workarounds
- Deploy a reverse proxy or API gateway with custom authorization rules to validate object ownership before allowing DELETE operations
- Implement network segmentation to limit access to the COCO Annotator API to only necessary systems
- Add application-level middleware to enforce authorization checks on the /api/undo/ endpoint
- Consider forking the project and implementing proper authorization validation in the Delete Category Handler code
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
