CVE-2025-49135 is an authorization bypass vulnerability affecting the open-source computer vision annotation tool CVAT, specifically versions 2.2.0 through 2.39.0. CVAT allows users to annotate images and videos for machine learning model training. The vulnerability arises from insufficient validation during the import process of project or task backups. When a user imports a project or task backup, the filename is specified via a query parameter. However, CVAT does not verify that the filename corresponds to a TUS-uploaded file owned by the requesting user. TUS is a protocol used for resumable file uploads. This lack of validation means that an authenticated user with a standard 'user' role who knows or can guess filenames of other users' uploaded files can create projects or tasks referencing those files, thereby gaining unauthorized access to potentially sensitive data belonging to other users. Notably, this vulnerability does not affect annotation or dataset TUS uploads because those use object-specific temporary directories, which isolate user data. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS v4.0 base score is 5.3 (medium severity), reflecting a network attack vector, low attack complexity, no privileges required beyond a user role, and no user interaction needed. The impact is primarily on confidentiality, as unauthorized data access is possible. There are no known exploits in the wild, and no workarounds are currently available. The vendor has released CVAT version 2.40.0 or later to address this issue by implementing proper validation of file ownership during import. Organizations using vulnerable CVAT versions should prioritize upgrading to mitigate risk.

For European organizations, especially those involved in AI, computer vision research, and data annotation, this vulnerability poses a significant risk to data confidentiality. Unauthorized access to uploaded files could lead to exposure of proprietary datasets, personally identifiable information (PII), or sensitive project data. This could result in intellectual property theft, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Since CVAT is used in sectors such as automotive, healthcare, and manufacturing across Europe, unauthorized data disclosure could impact competitive advantage and client trust. The vulnerability requires only authenticated user access, which means insider threats or compromised user accounts could be leveraged to exploit this flaw. The lack of user interaction and low attack complexity increases the likelihood of exploitation once an attacker has valid credentials. Although availability and integrity are not directly impacted, the confidentiality breach alone is critical given the sensitivity of annotated datasets. The absence of known exploits suggests limited current exploitation but does not preclude future attacks, especially as awareness grows.

1. Immediate upgrade to CVAT version 2.40.0 or later, which includes the patch validating file ownership during import. 2. Implement strict access controls and monitoring on CVAT user accounts to detect unusual import activities or access patterns, including logging and alerting on project/task imports referencing files outside a user's ownership. 3. Enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce risk of account compromise. 4. Conduct regular audits of uploaded files and project backups to identify any unauthorized access or anomalies. 5. Limit the distribution of file name information and consider obfuscating or randomizing file identifiers to reduce the risk of attackers guessing valid filenames. 6. Where possible, segregate sensitive datasets and restrict CVAT user roles to minimize exposure. 7. Educate users on the importance of safeguarding their credentials and recognizing suspicious activity within CVAT. 8. If upgrading immediately is not feasible, consider network segmentation or firewall rules to restrict access to the CVAT instance to trusted users only, reducing the attack surface.