Home > Vulnerability Database > CVE-2026-23526

Mend.io Vulnerability Database

CVE-2026-23526

Good to know:

Date: January 21, 2026

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges.

Severity Score

6.5

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23526

Url: https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4

Url: https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7

Url: https://www.mend.io/vulnerability-database/CVE-2026-23526

Severity Score

6.5

Weakness Type (CWE)

Privilege Defined With Unsafe Actions

CWE-267

Top Fix

Upgrade Version

Upgrade to version https://github.com/cvat-ai/cvat.git - v2.55.0

Learn More

CVSS v3.1

Base Score:	6.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23526

Good to know:

Date: January 21, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?