Description
CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges.
Published: 2026-01-21
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Superuser
Action: Patch Update
AI Analysis

Impact

In CVAT versions 1.0.0 through 2.54.0 a staff‑level user is permitted to change the permissions of any account, including granting themselves superuser rights and adding themselves to the administrator group. This flaw allows an authorized staff member to gain unrestricted access to all data stored in the CVAT instance, effectively making the entire system vulnerable to data theft, modification, or deletion. The weakness corresponds to improper user role validation (CWE‑267).

Affected Systems

The vulnerability is confined to the open‑source Computer Vision Annotation Tool (CVAT) manufactured by cvat‑ai. All releases from 1.0.0 up to and including 2.54.0 are affected; version 2.55.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 8.5 classifies this as a high‑severity issue, but the EPSS score is below 1%, indicating a very low probability of exploitation at the time of analysis and no listing in the CISA KEV catalogue. Exploitation requires an attacker to possess a staff account or to create one by compromising an existing staff account. Once in that role, the attack path is straightforward: the compromised user can immediately elevate privileges without further external interaction. The attack vector is therefore inferred as an authenticated privilege‑escalation scenario rather than a remote code execution or network‑level exploit.

Generated by OpenCVE AI on April 18, 2026 at 04:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CVAT to version 2.55.0 or later to eliminate the privilege escalation flaw
  • If an upgrade is not immediately possible, revoke staff status from all users who do not require that role and monitor the user list for any unexpected changes
  • Restrict the assignment of staff status to only trusted administrators and enforce least‑privilege principles for all other users

Generated by OpenCVE AI on April 18, 2026 at 04:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Cvat computer Vision Annotation Tool
CPEs cpe:2.3:a:cvat:cvat:*:*:*:*:*:*:*:* cpe:2.3:a:cvat:computer_vision_annotation_tool:*:*:*:*:*:*:*:*
Vendors & Products Cvat cvat
Cvat computer Vision Annotation Tool

Tue, 17 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Cvat
Cvat cvat
CPEs cpe:2.3:a:cvat:cvat:*:*:*:*:*:*:*:*
Vendors & Products Cvat
Cvat cvat
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Cvat-ai
Cvat-ai cvat
Vendors & Products Cvat-ai
Cvat-ai cvat

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 22:00:00 +0000

Type Values Removed Values Added
Description CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges.
Title CVAT vulnerable to privilege escalation of users with staff status
Weaknesses CWE-267
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cvat Computer Vision Annotation Tool
Cvat-ai Cvat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T14:44:33.583Z

Reserved: 2026-01-13T18:22:43.980Z

Link: CVE-2026-23526

cve-icon Vulnrichment

Updated: 2026-01-22T15:09:32.221Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T22:15:50.433

Modified: 2026-02-20T20:08:27.433

Link: CVE-2026-23526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:15:05Z

Weaknesses