Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23526

CVE-2026-23526: CVAT Privilege Escalation Vulnerability

CVE-2026-23526 is a privilege escalation vulnerability in CVAT that allows staff users to grant themselves superuser status and full data access. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-23526 Overview

CVE-2026-23526 is a Privilege Escalation vulnerability in CVAT, an open source interactive video and image annotation tool for computer vision. Users with staff status can freely modify their own permissions, including granting themselves superuser status and joining the admin group. This results in full access to all data within the CVAT instance, bypassing intended access control restrictions.

Critical Impact

Staff users can escalate privileges to superuser level, gaining unauthorized administrative access to the entire CVAT instance and all stored annotation data.

Affected Products

  • CVAT versions 1.0.0 through 2.54.0

Discovery Timeline

  • 2026-01-21 - CVE CVE-2026-23526 published to NVD
  • 2026-01-21 - Last updated in NVD database

Technical Details for CVE-2026-23526

Vulnerability Analysis

This vulnerability is classified under CWE-267 (Privilege Defined With Unsafe Actions), indicating a fundamental flaw in how user permissions are defined and enforced within the CVAT application. The core issue stems from insufficient access control validation when staff users attempt to modify their own user attributes, including permission levels and group memberships.

The vulnerability allows authenticated staff users to manipulate their account properties through the user update functionality. Because the application fails to properly restrict which attributes a staff user can modify on their own account, an attacker with staff privileges can escalate to full superuser status. This grants complete administrative control over the CVAT instance, including access to all projects, annotations, and sensitive data belonging to other users.

Root Cause

The root cause is inadequate permission granularity in the user update operations. Prior to the fix, the application did not differentiate between updating benign profile information (such as email or personal data) and modifying sensitive security attributes (such as permissions and group memberships). This lack of fine-grained permission checks allowed staff users to modify fields that should be restricted to administrators only.

Attack Vector

The attack is network-accessible and requires high privileges (staff status) but no user interaction. An attacker who has obtained staff-level access to a CVAT instance can exploit this vulnerability by sending crafted requests to the user update endpoint, modifying their own permission attributes to include superuser status or admin group membership. This can be accomplished through the application's API or potentially through manipulation of form data in the web interface.

python
# Security patch in cvat/apps/engine/permissions.py
# Source: https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4

         LIST = 'list'
         VIEW = 'view'
         UPDATE = 'update'
+        UPDATE_EMAIL = 'update:email'
+        UPDATE_PERMISSIONS = 'update:permissions'
+        UPDATE_PERSONAL_DATA = 'update:personal_data'
         DELETE = 'delete'

     @classmethod

The patch introduces granular permission scopes (UPDATE_EMAIL, UPDATE_PERMISSIONS, UPDATE_PERSONAL_DATA) to replace the single monolithic UPDATE permission, enabling proper access control enforcement.

text
# Security patch in cvat/apps/engine/rules/users.rego
# Source: https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4

 import data.organizations

 # input: {
-#     "scope": <"list"|"view"|"delete"|"update"> or null,
+#     "scope": <"list"|"view"|"delete"|"update:email"|"update:personal_data"|"update:permissions"> or null,
 #     "auth": {
 #         "user": {
 #             "id": <num>,

The Rego policy rules were updated to enforce the new granular permission scopes, ensuring that permission modification operations require explicit administrative authorization.

Detection Methods for CVE-2026-23526

Indicators of Compromise

  • Unexpected changes to user permission levels, particularly staff users gaining superuser or admin group membership
  • Audit log entries showing users modifying their own is_superuser, is_staff, or group membership attributes
  • Unusual API calls to user update endpoints with permission-related fields

Detection Strategies

  • Implement audit logging for all user permission changes and review logs regularly for unauthorized modifications
  • Monitor for API requests to user update endpoints that include sensitive fields like is_superuser, is_admin, or group membership changes
  • Create alerts for any non-administrator account that gains superuser or admin privileges

Monitoring Recommendations

  • Enable verbose logging on the CVAT application to capture all user modification events
  • Establish baseline user permission states and alert on deviations
  • Review the list of users with staff status periodically to ensure it matches expected administrative personnel

How to Mitigate CVE-2026-23526

Immediate Actions Required

  • Upgrade CVAT to version 2.55.0 or later which contains the security fix
  • Review the current list of users with staff status and revoke staff privileges from any users who do not require administrative access
  • Audit all superuser and admin group memberships to ensure no unauthorized privilege escalation has occurred

Patch Information

The vulnerability is fixed in CVAT version 2.55.0. The fix introduces granular permission scopes for user update operations, separating email updates, personal data updates, and permission modifications into distinct authorization checks. The security patch is available in commit 88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4. For more details, see the GitHub Security Advisory GHSA-7pvv-w55f-qmw7.

Workarounds

  • If immediate patching is not possible, review and restrict the list of users with staff status to only those who absolutely require it
  • Implement additional network-level access controls to limit who can access CVAT administrative functions
  • Enable additional monitoring and alerting on user permission changes until the patch can be applied
bash
# Configuration example - Audit current staff users in CVAT
# Review users with staff status in Django admin or via database query
python manage.py shell -c "from django.contrib.auth.models import User; print([u.username for u in User.objects.filter(is_staff=True)])"

# Revoke staff status from non-essential users
python manage.py shell -c "from django.contrib.auth.models import User; User.objects.filter(username='non_admin_user').update(is_staff=False)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne