CVE-2026-23526 is a privilege escalation vulnerability classified under CWE-267 (Privilege Defined With Unsafe Actions) affecting CVAT, an open source interactive video and image annotation tool widely used in computer vision workflows. The vulnerability exists in versions 1.0.0 through 2.54.0, where users assigned the staff status role have the ability to alter their own permissions unchecked. Specifically, staff users can elevate their privileges by assigning themselves superuser status and adding themselves to the admin group. This effectively bypasses intended access controls, granting full administrative rights and unrestricted access to all data managed by the CVAT instance. The vulnerability is remotely exploitable without requiring additional authentication or user interaction, increasing its risk profile. The root cause is insufficient enforcement of permission boundaries for staff users, allowing unsafe privilege modifications. The issue was resolved in CVAT version 2.55.0 by properly restricting permission changes and enforcing role boundaries. No known exploits have been reported in the wild yet, but the high CVSS 8.5 score reflects the critical nature of the flaw due to its impact on confidentiality, integrity, and the ease of exploitation by any staff user.

The vulnerability allows any user with staff status to escalate privileges to superuser and admin levels, resulting in complete compromise of the CVAT instance. This can lead to unauthorized access, modification, or deletion of sensitive annotation data, intellectual property, or personally identifiable information processed within CVAT. Organizations using CVAT for critical computer vision projects risk data breaches, loss of data integrity, and potential operational disruption. The breach of administrative controls also undermines trust in the system's security and may expose organizations to regulatory and compliance violations. Since CVAT is often deployed in research, commercial AI development, and governmental projects, the impact can be widespread and severe. The vulnerability's remote exploitability without user interaction further increases the threat, enabling insider threats or compromised staff accounts to cause significant damage.

1. Upgrade CVAT installations to version 2.55.0 or later immediately to apply the official fix that restricts staff users from modifying their own permissions. 2. Conduct a thorough audit of all users with staff status and revoke this role from any users who do not require it or are not fully trusted. 3. Implement strict access control policies and role assignment procedures to minimize the number of staff users. 4. Monitor logs for unusual permission changes or privilege escalations within CVAT. 5. Consider deploying CVAT behind strong network access controls and VPNs to limit exposure to trusted users only. 6. Regularly review and update user roles and permissions as part of security hygiene. 7. If upgrading immediately is not possible, temporarily disable staff user functionality or restrict it via custom configuration or firewall rules to prevent exploitation.