CVE-2026-2108 is a medium severity denial of service vulnerability affecting jsbroks COCO Annotator versions 0.11.0 and 0.11.1. The vulnerability resides in an unspecified function within the /api/info/long_task endpoint of the application’s API. An attacker can remotely send crafted requests to this endpoint without requiring authentication or user interaction, causing the application to become unresponsive or crash, resulting in denial of service. The vulnerability was publicly disclosed on February 7, 2026, with no response or patch from the vendor. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and low impact on availability (VA:L), with no impact on confidentiality or integrity. Although no known exploits are currently observed in the wild, the public disclosure and availability of exploit details increase the risk of exploitation. The vulnerability impacts the availability of the COCO Annotator service, which is widely used in machine learning and computer vision projects for image annotation. The lack of vendor response and patch availability means organizations must rely on alternative mitigations to protect their deployments. The vulnerability’s root cause and exact technical details remain unspecified, but the affected endpoint suggests it may relate to handling of long-running tasks or status queries, which could be exploited to overload or crash the service.

The primary impact of CVE-2026-2108 is denial of service, which can disrupt the availability of the COCO Annotator service. Organizations relying on this tool for image annotation in AI, machine learning, or computer vision workflows may experience interruptions, delaying development and operational processes. This can affect research labs, AI startups, and enterprises integrating COCO Annotator into their pipelines. The lack of authentication or user interaction requirements lowers the barrier for attackers to exploit the vulnerability remotely, potentially enabling automated attacks. While the impact on confidentiality and integrity is none, availability degradation can lead to productivity loss and operational downtime. The public disclosure without a vendor patch increases the window of exposure, raising the risk of exploitation by opportunistic attackers or competitors. Organizations with internet-facing COCO Annotator instances are particularly vulnerable. The impact is more pronounced in environments where COCO Annotator is critical to business or research operations, especially if no compensating controls are in place.

Until an official patch is released, organizations should implement network-level protections such as firewall rules to restrict access to the /api/info/long_task endpoint only to trusted internal IP addresses or VPN users. Deploying web application firewalls (WAFs) with custom rules to detect and block abnormal request patterns targeting this endpoint can help mitigate exploitation attempts. Monitoring application logs and network traffic for unusual spikes or repeated requests to the vulnerable endpoint is critical for early detection. Rate limiting requests to the /api/info/long_task endpoint can reduce the risk of resource exhaustion. If possible, isolate COCO Annotator instances in segmented network zones to limit exposure. Organizations should also prepare for rapid patch deployment once the vendor releases a fix and consider alternative annotation tools if the risk is unacceptable. Regular backups and incident response plans should be updated to address potential denial of service scenarios. Engaging with the vendor or community forums for updates and workarounds is recommended.