CVE-2026-23526 – CVAT users with staff status can escalate their... (How to Fix)

Q: What is the severity of CVE-2026-23526?

CVE-2026-23526 has a CVSS score of 8.8 (HIGH). CVAT users with staff status can escalate their own privileges to superuser/admin level, gaining full access to all data in the CVAT instance. This affects all CVAT deployments running versions 1.0.0 through 2.54.0. The vulnerability allows unauthorized privilege escalation within the application.

📋 TL;DR

CVAT users with staff status can escalate their own privileges to superuser/admin level, gaining full access to all data in the CVAT instance. This affects all CVAT deployments running versions 1.0.0 through 2.54.0. The vulnerability allows unauthorized privilege escalation within the application.

💻 Affected Systems

Products:

CVAT (Computer Vision Annotation Tool)

Versions: 1.0.0 through 2.54.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with staff users are vulnerable. The vulnerability exists in the application logic, not in specific configurations.

📦 What is this software?

Computer Vision Annotation Tool by Cvat

View all CVEs affecting Computer Vision Annotation Tool →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Staff users gain superuser privileges, allowing them to access, modify, or delete all annotation data, user accounts, and system configurations.

🟠

Likely Case

Staff users elevate their privileges to access sensitive annotation data they shouldn't have permission to view or modify.

🟢

If Mitigated

No impact if proper access controls prevent staff users from accessing privilege modification features.

🌐 Internet-Facing: HIGH if CVAT instance is internet-facing and has staff users who could exploit this.

🏢 Internal Only: MEDIUM as it requires authenticated staff user access, but still poses significant data access risks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated staff user access. The vulnerability is in the user interface allowing self-privilege escalation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.55.0

Vendor Advisory: https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7

Restart Required: Yes

Instructions:

1. Backup your CVAT data and configurations. 2. Update CVAT to version 2.55.0 or later using your deployment method (Docker, Kubernetes, etc.). 3. Restart the CVAT services. 4. Verify the update was successful.

🔧 Temporary Workarounds

Review and revoke staff status

all

Review all users with staff status and remove it from users who should not have superuser privileges.

# Review staff users in CVAT admin interface
# Remove staff status from unauthorized users

🧯 If You Can't Patch

Implement strict access controls to prevent staff users from accessing privilege modification features
Monitor user permission changes and audit logs for unauthorized privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check CVAT version via web interface or deployment configuration. Versions 1.0.0 through 2.54.0 are vulnerable.

Check Version:

# For Docker deployments: docker exec cvat_server python manage.py --version

Verify Fix Applied:

After updating to 2.55.0+, verify that staff users can no longer modify their own permissions to gain superuser status.

📡 Detection & Monitoring

Log Indicators:

User permission changes from staff to superuser/admin
Unauthorized access to admin functions by staff users

Network Indicators:

HTTP requests to permission modification endpoints from staff user accounts

SIEM Query:

source="cvat" AND (event="permission_change" OR event="user_escalation")

📊 Metadata

CVE ID: CVE-2026-23526

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-267

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: January 21, 2026

Last Updated: February 20, 2026

🔗 References

https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4 Patch
https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7 Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23526, you might also want to check these: