CVE-2026-2109 – This vulnerability allows unauthorized deletion... (How to Fix)

Q: What is the severity of CVE-2026-2109?

CVE-2026-2109 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows unauthorized deletion of categories in jsbroks COCO Annotator through improper authorization in the Delete Category Handler. Attackers can remotely exploit this to manipulate annotation data. Users of COCO Annotator versions up to 0.11.1 are affected.

📋 TL;DR

This vulnerability allows unauthorized deletion of categories in jsbroks COCO Annotator through improper authorization in the Delete Category Handler. Attackers can remotely exploit this to manipulate annotation data. Users of COCO Annotator versions up to 0.11.1 are affected.

💻 Affected Systems

Products:

jsbroks COCO Annotator

Versions: up to 0.11.1

Operating Systems: All platforms running COCO Annotator

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the vulnerable API endpoint accessible are affected.

📦 What is this software?

Coco Annotator by Jsbroks

View all CVEs affecting Coco Annotator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss or corruption of annotation categories, disrupting annotation workflows and potentially requiring data restoration from backups.

🟠

Likely Case

Unauthorized deletion of specific annotation categories, causing data inconsistency and requiring manual correction.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring in place.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely and a public exploit exists.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to disrupt annotation workflows.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available in GitHub repositories. Attack requires some authentication but bypasses authorization checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to any version above 0.11.1 if available, or implement workarounds.

🔧 Temporary Workarounds

API Endpoint Restriction

all

Block or restrict access to the vulnerable /api/undo/ endpoint

# Using web server configuration (nginx example)
location /api/undo/ { deny all; }
# Using firewall rules
iptables -A INPUT -p tcp --dport [COCO_PORT] -m string --string "/api/undo/" --algo bm -j DROP

Authentication Enhancement

all

Implement additional authentication checks before category deletion operations

# Modify the Delete Category Handler to verify user permissions
# Check if current user has delete rights for the specified category ID

🧯 If You Can't Patch

Implement network segmentation to restrict access to COCO Annotator to authorized users only
Enable detailed logging of all category deletion operations and monitor for unauthorized attempts

🔍 How to Verify

Check if Vulnerable:

Check if your COCO Annotator version is 0.11.1 or earlier and if the /api/undo/ endpoint is accessible.

Check Version:

Check the COCO Annotator web interface or configuration files for version information

Verify Fix Applied:

Test if unauthorized category deletion is possible through the /api/undo/ endpoint after implementing controls.

📡 Detection & Monitoring

Log Indicators:

Unusual DELETE requests to /api/undo/ endpoint
Category deletion operations from unexpected users or IP addresses

Network Indicators:

HTTP DELETE requests to /api/undo/ with category ID parameters

SIEM Query:

source="web_server_logs" AND (uri_path="/api/undo/" AND http_method="DELETE")

📊 Metadata

CVE ID: CVE-2026-2109

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

CWE: CWE-266

EPSS Score: 0.04% exploit probability (11.1th percentile)

Published: February 7, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.344685 Permissions Required,VDB Entry
https://vuldb.com/?id.344685 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.745579 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-2109, you might also want to check these: