CVE-2026-23526 Overview
CVE-2026-23526 is a Privilege Escalation vulnerability in CVAT, an open source interactive video and image annotation tool for computer vision. Users with staff status can freely modify their own permissions, including granting themselves superuser status and joining the admin group. This results in full access to all data within the CVAT instance, bypassing intended access control restrictions.
Critical Impact
Staff users can escalate privileges to superuser level, gaining unauthorized administrative access to the entire CVAT instance and all stored annotation data.
Affected Products
- CVAT versions 1.0.0 through 2.54.0
Discovery Timeline
- 2026-01-21 - CVE CVE-2026-23526 published to NVD
- 2026-01-21 - Last updated in NVD database
Technical Details for CVE-2026-23526
Vulnerability Analysis
This vulnerability is classified under CWE-267 (Privilege Defined With Unsafe Actions), indicating a fundamental flaw in how user permissions are defined and enforced within the CVAT application. The core issue stems from insufficient access control validation when staff users attempt to modify their own user attributes, including permission levels and group memberships.
The vulnerability allows authenticated staff users to manipulate their account properties through the user update functionality. Because the application fails to properly restrict which attributes a staff user can modify on their own account, an attacker with staff privileges can escalate to full superuser status. This grants complete administrative control over the CVAT instance, including access to all projects, annotations, and sensitive data belonging to other users.
Root Cause
The root cause is inadequate permission granularity in the user update operations. Prior to the fix, the application did not differentiate between updating benign profile information (such as email or personal data) and modifying sensitive security attributes (such as permissions and group memberships). This lack of fine-grained permission checks allowed staff users to modify fields that should be restricted to administrators only.
Attack Vector
The attack is network-accessible and requires high privileges (staff status) but no user interaction. An attacker who has obtained staff-level access to a CVAT instance can exploit this vulnerability by sending crafted requests to the user update endpoint, modifying their own permission attributes to include superuser status or admin group membership. This can be accomplished through the application's API or potentially through manipulation of form data in the web interface.
# Security patch in cvat/apps/engine/permissions.py
# Source: https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4
LIST = 'list'
VIEW = 'view'
UPDATE = 'update'
+ UPDATE_EMAIL = 'update:email'
+ UPDATE_PERMISSIONS = 'update:permissions'
+ UPDATE_PERSONAL_DATA = 'update:personal_data'
DELETE = 'delete'
@classmethod
The patch introduces granular permission scopes (UPDATE_EMAIL, UPDATE_PERMISSIONS, UPDATE_PERSONAL_DATA) to replace the single monolithic UPDATE permission, enabling proper access control enforcement.
# Security patch in cvat/apps/engine/rules/users.rego
# Source: https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4
import data.organizations
# input: {
-# "scope": <"list"|"view"|"delete"|"update"> or null,
+# "scope": <"list"|"view"|"delete"|"update:email"|"update:personal_data"|"update:permissions"> or null,
# "auth": {
# "user": {
# "id": <num>,
The Rego policy rules were updated to enforce the new granular permission scopes, ensuring that permission modification operations require explicit administrative authorization.
Detection Methods for CVE-2026-23526
Indicators of Compromise
- Unexpected changes to user permission levels, particularly staff users gaining superuser or admin group membership
- Audit log entries showing users modifying their own is_superuser, is_staff, or group membership attributes
- Unusual API calls to user update endpoints with permission-related fields
Detection Strategies
- Implement audit logging for all user permission changes and review logs regularly for unauthorized modifications
- Monitor for API requests to user update endpoints that include sensitive fields like is_superuser, is_admin, or group membership changes
- Create alerts for any non-administrator account that gains superuser or admin privileges
Monitoring Recommendations
- Enable verbose logging on the CVAT application to capture all user modification events
- Establish baseline user permission states and alert on deviations
- Review the list of users with staff status periodically to ensure it matches expected administrative personnel
How to Mitigate CVE-2026-23526
Immediate Actions Required
- Upgrade CVAT to version 2.55.0 or later which contains the security fix
- Review the current list of users with staff status and revoke staff privileges from any users who do not require administrative access
- Audit all superuser and admin group memberships to ensure no unauthorized privilege escalation has occurred
Patch Information
The vulnerability is fixed in CVAT version 2.55.0. The fix introduces granular permission scopes for user update operations, separating email updates, personal data updates, and permission modifications into distinct authorization checks. The security patch is available in commit 88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4. For more details, see the GitHub Security Advisory GHSA-7pvv-w55f-qmw7.
Workarounds
- If immediate patching is not possible, review and restrict the list of users with staff status to only those who absolutely require it
- Implement additional network-level access controls to limit who can access CVAT administrative functions
- Enable additional monitoring and alerting on user permission changes until the patch can be applied
# Configuration example - Audit current staff users in CVAT
# Review users with staff status in Django admin or via database query
python manage.py shell -c "from django.contrib.auth.models import User; print([u.username for u in User.objects.filter(is_staff=True)])"
# Revoke staff status from non-essential users
python manage.py shell -c "from django.contrib.auth.models import User; User.objects.filter(username='non_admin_user').update(is_staff=False)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
