Description
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
Published: 2026-06-30
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper authorization flaw in CVAT’s QualityReportViewSet.get_queryset method, where a missing check_object_permissions call on the parent_id query parameter allows authenticated users to probe the existence of quality reports belonging to other organizations. An attacker can send requests with sequential integer parent_id values and distinguish between existing and non‑existing reports by the differing HTTP responses (500 for existing, 404 for non‑existing), leaking cross‑organization report existence without exposing report content.

Affected Systems

The affected product is CVAT from cvat‑ai:cvatt. All released versions prior to 2.69.0 are vulnerable; there is no specific sub‑version information listed beyond the < 2.69.0 threshold.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in CISA’s KEV catalog. The attack requires authenticated access to the CVAT API. By iterating parent_id values and interpreting the status code differences, an attacker can enumerate which quality reports exist for other organizations, providing information that could be leveraged for further reconnaissance.

Generated by OpenCVE AI on June 30, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CVAT to version 2.69.0 or later on all deployments
  • Enforce the updated version on every instance that serves multiple organizations
  • Monitor API logs for anomalous parent_id query patterns and alert on repeated enumeration attempts
  • Apply a temporary restriction that hides parent_id visibility from non‑admin users until the patch is fully deployed

Generated by OpenCVE AI on June 30, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
Title CVAT < 2.69.0 - Missing Authorization on Quality Reports parent_id Filter Leaks Cross-Organization Report Existence
First Time appeared Cvat
Cvat cvat
Weaknesses CWE-862
CPEs cpe:2.3:a:cvat:cvat:*:*:*:*:*:*:*:*
Vendors & Products Cvat
Cvat cvat
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cvat Cvat
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T16:46:37.380Z

Reserved: 2026-06-30T12:32:16.547Z

Link: CVE-2026-58373

cve-icon Vulnrichment

Updated: 2026-06-30T16:46:33.438Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:30:15Z

Weaknesses