CVE-2026-23526 is a privilege escalation vulnerability classified under CWE-267 (Privilege Defined With Unsafe Actions) affecting the CVAT (Computer Vision Annotation Tool) open source software versions from 1.0.0 up to 2.54.0. CVAT is widely used for interactive video and image annotation in computer vision projects. The vulnerability arises because users assigned the 'staff' status have the ability to alter their own permissions within the system, including elevating themselves to superuser status and joining the admin group. This escalation bypasses intended access controls, granting full administrative privileges and unrestricted access to all data managed by the CVAT instance. The flaw requires no user interaction and no additional authentication beyond having staff status, making it trivially exploitable by any staff user. The vulnerability was assigned a CVSS 4.0 score of 8.5, reflecting its high impact on confidentiality and integrity, with network attack vector and low attack complexity. The issue was resolved in CVAT version 2.55.0. As an interim mitigation, organizations are advised to audit and remove staff status from any users who do not require elevated privileges to prevent unauthorized privilege escalation. No public exploits have been reported to date, but the vulnerability poses a significant risk to environments where CVAT is used to handle sensitive or proprietary data.

For European organizations, the impact of this vulnerability can be severe, especially for those in sectors relying heavily on computer vision data annotation such as automotive, healthcare, manufacturing, and research institutions. Unauthorized privilege escalation can lead to full administrative control over the CVAT platform, enabling attackers or malicious insiders to access, modify, or exfiltrate sensitive annotated datasets. This can compromise intellectual property, violate data protection regulations such as GDPR, and disrupt critical AI/ML development workflows. The integrity of annotated data is crucial for training accurate machine learning models; thus, tampering could degrade model performance or introduce biases. Additionally, unauthorized access could lead to lateral movement within the network if CVAT instances are integrated with other internal systems. The vulnerability’s ease of exploitation and high impact on confidentiality and integrity make it a critical risk for European entities using vulnerable CVAT versions.

1. Upgrade all CVAT instances to version 2.55.0 or later immediately to apply the official fix. 2. Conduct a thorough audit of all users with staff status and revoke this status from any users who do not require it for their role. 3. Implement strict role-based access control (RBAC) policies to limit the assignment of staff status only to trusted administrators. 4. Monitor CVAT logs for unusual permission changes or privilege escalation attempts. 5. Isolate CVAT instances within segmented network zones to limit potential lateral movement in case of compromise. 6. Regularly review and update user permissions and conduct periodic security assessments of the CVAT environment. 7. Educate administrators and users about the risks associated with privilege escalation and the importance of least privilege principles. 8. If feasible, implement multi-factor authentication (MFA) for administrative access to CVAT to add an additional security layer.