CVE-2026-22033 is a persistent stored cross-site scripting (XSS) vulnerability identified in HumanSignal's Label Studio, a multi-type data labeling and annotation tool widely used in machine learning workflows. The flaw exists in versions 1.22.0 and earlier within the custom_hotkeys functionality, where user-supplied input is not properly neutralized before being rendered in the templates/base.html page template. An attacker with authenticated access, or one capable of tricking a legitimate user or administrator into updating their custom hotkeys, can inject arbitrary JavaScript code. This malicious script executes in the browsers of other users who load affected pages, enabling the attacker to perform actions on behalf of victims. The risk is heightened because the application exposes an API token endpoint (/api/current-user/token) directly to the browser and lacks robust Cross-Site Request Forgery (CSRF) protections on certain API endpoints. Consequently, the injected script can retrieve the victim’s API token or invoke token reset endpoints, facilitating full account takeover and unauthorized API access. The vulnerability leverages CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-284 (Improper Access Control). The CVSS 4.0 base score is 8.6, indicating high severity, with attack vector network, low attack complexity, no privileges required beyond authentication, no user interaction, and high impact on confidentiality and integrity. No public exploits have been reported yet, but the potential for abuse is significant given the sensitive nature of API tokens and account control. The vulnerability underscores the importance of secure input handling, strict access controls, and comprehensive CSRF protections in web applications that manage sensitive data and authentication tokens.

For European organizations, especially those involved in AI, machine learning, and data annotation workflows, this vulnerability poses a significant risk. Exploitation can lead to full account takeover, unauthorized API access, and potential data exfiltration or manipulation. Since Label Studio is often used collaboratively, the persistent XSS can propagate across multiple users, amplifying the impact. Confidentiality is at high risk due to exposure of API tokens, and integrity is compromised by unauthorized actions performed via hijacked accounts. Availability impact is lower but could occur if attackers reset tokens or disrupt user sessions. Organizations handling sensitive or regulated data (e.g., personal data under GDPR) face compliance risks and potential legal consequences if breaches occur. The vulnerability could also be leveraged as a foothold for further lateral movement within networks. Given the network attack vector and no requirement for user interaction, exploitation can be automated and widespread once a vulnerability is known and weaponized.

1. Immediately restrict access to the custom_hotkeys feature to trusted administrators only until a patch is available. 2. Apply strict input validation and output encoding on all user-supplied data related to custom hotkeys to prevent script injection. 3. Implement or enhance CSRF protections on all API endpoints, especially those handling authentication tokens and sensitive operations. 4. Monitor and audit changes to custom hotkeys and API token usage for suspicious activity. 5. Educate users and administrators about phishing and social engineering risks that could lead to malicious hotkey updates. 6. Once HumanSignal releases a patched version, promptly upgrade to the fixed release. 7. Consider isolating Label Studio instances in segmented network zones to limit lateral movement if compromise occurs. 8. Employ Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting Label Studio endpoints. 9. Regularly review and rotate API tokens and credentials to minimize exposure windows. 10. Conduct penetration testing and code reviews focused on input handling and authentication mechanisms.