Critical CVAT Vulnerabilities Enable Full Admin Takeover and Silent Session Hijacking

Aegiron 9 mins0

Product overview

Product: CVAT (Computer Vision Annotation Tool)
Category: Web-based data annotation platform for images and videos
Typical usage: Used by annotation teams, ML engineers, and data operations groups to create and manage labeled datasets
Deployment models: On-premise, cloud, containerized environments
Authentication model: Role-based access control (RBAC) with user, staff, and admin/superuser roles

CVE summary table

CVE NameCVE IDCVSS ScoreSeverityExploitabilityExploit Availability
Privilege escalation via staff roleCVE-2026-235268.5HighRequires authenticated staff-level userNo public weaponized exploit; exploitation feasible
Stored XSS via labels / SVG skeletonsCVE-2026-235168.6HighRequires ability to create labels or upload SVGProof-of-concept possible (educational)

CVE-2026-23526 — Privilege escalation (full admin access)

Description

A privilege escalation vulnerability was identified in CVAT where accounts marked as staff were incorrectly allowed to modify restricted authorization attributes. Due to insufficient server-side enforcement of role boundaries, permission checks were bypassed, allowing escalation from staff to full administrator (superuser) privileges.

The issue was caused by flawed authorization logic rather than a traditional injection or memory-based weakness.

Impact

Once administrative privileges were obtained, unrestricted access to the CVAT instance was granted. This included:

  • Full access to all datasets and annotations
  • Ability to modify or delete projects and tasks
  • User management (create, delete, or elevate other users)
  • Access to internal APIs and configuration endpoints
  • Potential exposure of sensitive training data

The impact was assessed as high due to complete compromise of confidentiality, integrity, and availability.

Exploitation scenario (educational)

The vulnerability could be exploited by an attacker who already had access to a staff-level account, either legitimately or through credential compromise.

The following high-level flow applied:

  • An authenticated staff account accessed a user management or profile update endpoint
  • Restricted role attributes (such as admin or superuser flags) were modified
  • The server accepted the changes without enforcing privilege restrictions
  • The account immediately gained full administrative capabilities

No complex exploit chain was required; exploitation relied on business logic abuse.

Proof-of-concept availability

No public exploit code was released.
However, exploitation was technically straightforward and reproducible in vulnerable versions.

MITRE / ATT&CK / CWE mapping

  • CWE: Improper Privilege Management
  • ATT&CK Technique: Privilege Escalation
  • Attack Vector: Valid Accounts
  • Attack Complexity: Low

Detection and monitoring guidance

What should be monitored

  • Unexpected changes to user privilege fields
  • Staff users suddenly accessing admin-only endpoints
  • Creation or modification of admin users without change approvals
  • API calls modifying user roles initiated by non-admin users

Splunk detection rules — Privilege escalation

Rule 1: Suspicious role change activity

index=cvat sourcetype=cvat_audit
| search action="user_update"
| where like(changed_fields,"%is_superuser%") OR like(changed_fields,"%groups%")
| table _time, actor_user, target_user, changed_fields, src_ip, user_agent

Rule 2: Staff account accessing admin endpoints

index=cvat sourcetype=cvat_api
| search uri="/api/admin/*"
| where user_role="staff"
| table _time, username, uri, src_ip, method

Rule 3: Sudden admin privilege creation

index=cvat sourcetype=cvat_auth
| stats count by username, is_superuser
| where is_superuser=true

Mitigation and remediation

  • Immediate upgrade to a fixed version is required
  • Staff roles should be reviewed and limited to operational necessity
  • Temporary removal of staff privileges is recommended until patching is complete
  • Admin access changes should be logged and reviewed regularly
  • Credentials of impacted accounts should be rotated

Official patch / upgrade link

Upgrade to CVAT v2.55.0 or later
https://github.com/cvat-ai/cvat/releases/tag/v2.55.0

CVE-2026-23516 — Stored XSS (session hijacking)

Description

A stored cross-site scripting vulnerability was discovered in CVAT where user-controlled input in labels and SVG skeleton uploads was insufficiently sanitized. Malicious JavaScript embedded in stored content was executed in the context of other users’ browsers when affected objects were viewed or edited.

This vulnerability allowed execution of arbitrary client-side code with the victim’s session privileges.

Impact

Successful exploitation allowed:

  • Theft of active session cookies or tokens
  • Execution of API actions on behalf of the victim
  • Unauthorized access to projects and datasets
  • Lateral movement through trusted user accounts

While server compromise was not direct, the impact was severe due to session takeover potential.

Exploitation scenario (educational)

  • A malicious label or SVG file was created containing embedded script
  • The object was stored in the CVAT backend
  • A victim user accessed the task, label, or skeleton
  • The browser executed the embedded script silently
  • Session data or API calls were exfiltrated

The attack relied on trust between collaborators and normal workflow behavior.

Example payload behavior

Payloads were typically embedded in SVG or label metadata and executed upon rendering.

MITRE / ATT&CK / CWE mapping

  • CWE: Stored Cross-Site Scripting
  • ATT&CK Technique: User Execution
  • Attack Vector: Malicious File / Web Content
  • Attack Complexity: Low

Detection and monitoring guidance

What should be monitored

  • Uploads with image/svg+xml content type
  • Labels containing HTML or script-like patterns
  • Browser-originated API calls occurring in abnormal volume
  • Outbound connections to unknown domains following UI interaction

Splunk detection rules — Stored XSS

Rule 1: SVG uploads

index=cvat sourcetype=cvat_api
| search method=POST content_type="image/svg+xml"
| table _time, username, uri, src_ip

Rule 2: Suspicious label content

index=cvat sourcetype=cvat_labels
| regex label_text="(<script|onerror=|onload=)"
| table _time, username, project, label_text

Rule 3: Possible session abuse

index=cvat sourcetype=cvat_api
| stats count by username, src_ip
| where count > 100

Mitigation and remediation

  • Upgrade to a fixed version immediately
  • Restrict label and SVG creation to trusted users until patched
  • Enforce strong Content Security Policy (CSP) headers
  • Invalidate sessions after patching
  • Educate users to report unusual UI behavior

Official patch / upgrade link

Upgrade to CVAT v2.55.0 or later
https://github.com/cvat-ai/cvat/releases/tag/v2.55.0

Final takeaway

Both vulnerabilities result in high-impact compromise scenarios.
Delayed patching significantly increases exposure, especially in collaborative environments.

Immediate upgrade, role auditing, and log monitoring are strongly advised.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.