Improper Authorization in CVAT Affects Quality Report Management
CVE-2026-58373

5.3MEDIUM

Key Information:

Vendor: Cvat-ai
Status: Cvat
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-58373?

CVAT versions prior to 2.69.0 are susceptible to an improper authorization vulnerability within the QualityReportViewSet.get_queryset method. This issue allows authenticated users to exploit the API by sending sequential integer values for the parent_id parameter. Attackers can discern whether quality report identifiers exist across different organizations based on the responses returned from the server — distinguishing between a 500 Internal Server Error for existing reports and a 404 Not Found for non-existing ones. This flaw enables leakage of report existence information without revealing any actual report content, posing significant privacy risks across organizations.

Affected Version(s)

cvat 0 < 2.69.0

References

https://github.com/cvat-ai/cvat/releases/tag/v2.69.0

release-notes

https://github.com/cvat-ai/cvat/pull/10807

issue-tracking

https://github.com/cvat-ai/cvat/commit/27953f19d2265f8b49...

patch

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 30, 2026

Credit

George Chen

CVE-2026-58373 Data

JSON

Cvat-ai

What is CVE-2026-58373?

Affected Version(s)

References

CVSS V4

Timeline

Credit