Privilege escalation in Cvat-ai Cvat

CVE-2026-23526

CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status an…

EPSS: 0.001 (19.7th percentile) — read the EPSS interpretation.

Affected products

Cvat-ai Cvat — versions >= 1.0.0, < 2.55.0

Weakness classification (CWE)

CWE-267 — Privilege Defined With Unsafe Actions

References

https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7 (x_refsource_CONFIRM)
https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4 (x_refsource_MISC)