CVE-2026-2108 is a denial of service vulnerability identified in jsbroks COCO Annotator, an open-source tool used for annotating images in computer vision projects. The vulnerability resides in an unspecified function within the /api/info/long_task endpoint of the application. This endpoint, when manipulated remotely without authentication, can be exploited to cause the application to become unresponsive or crash, resulting in denial of service. The vulnerability affects versions 0.11.0 and 0.11.1 of COCO Annotator. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no confidentiality, integrity, or availability protections (VC:N, VI:N, VA:L). The exploit is publicly disclosed, increasing the risk of exploitation, though no known active exploitation in the wild has been reported. The vendor was contacted but has not provided a patch or mitigation guidance. This leaves users exposed to potential service disruptions, which can impact workflows dependent on the availability of annotation services for machine learning data preparation.

For European organizations, especially those involved in AI, machine learning, and computer vision research or product development, this vulnerability can disrupt critical annotation workflows. Denial of service on the COCO Annotator platform can delay data labeling processes, impacting project timelines and productivity. Organizations relying on this tool for training data preparation may face operational downtime, potentially affecting downstream model accuracy and deployment schedules. The lack of vendor response and patch availability increases risk exposure. Additionally, service unavailability could impact collaborative projects or cloud-based annotation services hosted in Europe, leading to broader operational impacts. While the vulnerability does not directly compromise data confidentiality or integrity, the availability impact can have significant business consequences in time-sensitive environments.

Until an official patch is released, European organizations should implement network-level access controls to restrict access to the /api/info/long_task endpoint, limiting it to trusted internal IP addresses or VPN users. Deploy rate limiting and anomaly detection on this endpoint to prevent abuse and detect potential exploitation attempts early. Consider deploying web application firewalls (WAFs) with custom rules to block suspicious requests targeting this endpoint. Regularly monitor application logs for unusual activity patterns indicative of DoS attempts. If feasible, isolate the COCO Annotator service in a segmented network zone to contain potential disruptions. Engage with the open-source community or maintainers for any unofficial patches or workarounds. Finally, prepare incident response plans to quickly restore service availability in case of exploitation.