CVE-2026-23526 HIGH

CVE-2026-23526: CVAT vulnerable to privilege escalation of users with staff status

Vendor Cvat-Ai
Product cvat
Weakness CWE-267
Published January 21, 2026
Last update February 26, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
February 26, 2026 Record updated