CVE-2026-58373: Missing Authorization in cvat-ai cvat
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
AI Analysis
Technical Summary
CVE-2026-58373 describes an improper authorization vulnerability in cvat-ai's CVAT product before version 2.69.0. The issue resides in the QualityReportViewSet.get_queryset function, where the absence of a check_object_permissions call on the parent_id query parameter enables authenticated attackers to enumerate quality report IDs belonging to other organizations. By sending requests with sequential integer parent_id values, attackers can distinguish existing reports from non-existing ones via HTTP 500 versus HTTP 404 responses. This vulnerability leaks the existence of cross-organization reports without exposing their content.
Potential Impact
The vulnerability allows authenticated attackers to confirm the existence of quality reports belonging to other organizations by observing HTTP response differences. This leads to information disclosure about report identifiers across organizational boundaries. However, the actual content of the reports is not accessible, and there is no impact on integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the quality reports API endpoint to trusted users only and monitor for unusual enumeration activity. Implement additional authorization checks on the parent_id parameter if possible.
CVE-2026-58373: Missing Authorization in cvat-ai cvat
Description
CVAT before 2.69.0 contains an improper authorization vulnerability in QualityReportViewSet.get_queryset that allows authenticated attackers to enumerate quality report identifiers belonging to other organizations by exploiting a missing check_object_permissions call on the parent_id query parameter of the quality reports API endpoint. Attackers can send requests with sequential integer parent_id values and distinguish between existing and non-existing reports via HTTP 500 versus HTTP 404 response differences, disclosing cross-organization report existence without returning report content.
CVSS v3.1
Score 4.3medium
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-58373 describes an improper authorization vulnerability in cvat-ai's CVAT product before version 2.69.0. The issue resides in the QualityReportViewSet.get_queryset function, where the absence of a check_object_permissions call on the parent_id query parameter enables authenticated attackers to enumerate quality report IDs belonging to other organizations. By sending requests with sequential integer parent_id values, attackers can distinguish existing reports from non-existing ones via HTTP 500 versus HTTP 404 responses. This vulnerability leaks the existence of cross-organization reports without exposing their content.
Potential Impact
The vulnerability allows authenticated attackers to confirm the existence of quality reports belonging to other organizations by observing HTTP response differences. This leads to information disclosure about report identifiers across organizational boundaries. However, the actual content of the reports is not accessible, and there is no impact on integrity or availability.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict access to the quality reports API endpoint to trusted users only and monitor for unusual enumeration activity. Implement additional authorization checks on the parent_id parameter if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-06-30T12:32:16.547Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43f43127e9c79719185fa3
Added to database: 06/30/2026, 16:52:01 UTC
Last enriched: 06/30/2026, 17:07:11 UTC
Last updated: 06/30/2026, 17:21:48 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.