Skip to main content

jsbroks COCO Annotator CVE-2026-7681

| EUVDEUVD-2026-26817 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-03 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Generated
May 03, 2026 - 06:30 vuln.today
CVSS changed
May 03, 2026 - 06:22 NVD
6.5 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
May 03, 2026 - 06:15 vuln.today
Public exploit code
EUVD ID Assigned
May 03, 2026 - 06:00 euvd
EUVD-2026-26817
Analysis Generated
May 03, 2026 - 06:00 vuln.today
CVE Published
May 03, 2026 - 05:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A security vulnerability has been detected in jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an unknown functionality of the file backend/webserver/api/datasets.py of the component Dataset API. The manipulation of the argument DatasetId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Authorization bypass in jsbroks COCO Annotator up to version 0.11.1 allows remote unauthenticated attackers to modify dataset parameters via manipulation of the DatasetId argument in the Dataset API endpoint backend/webserver/api/datasets.py, enabling unauthorized access to and modification of annotation datasets. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Technical ContextAI

The vulnerability exists in the Dataset API component of COCO Annotator, a collaborative image annotation tool. The affected file backend/webserver/api/datasets.py handles dataset management operations through REST API endpoints. The root cause is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that the application uses user-supplied input (DatasetId parameter) to determine access control decisions without proper validation of the requester's permissions. The vulnerability suggests the API endpoint trusts client-supplied dataset identifiers to validate ownership or authorization, allowing attackers to reference and manipulate datasets belonging to other users or projects by simply modifying the DatasetId value in their requests.

RemediationAI

No vendor-released patch identified at time of analysis due to vendor non-response to disclosure. Immediate remediation options include: (1) Upgrade from COCO Annotator or discontinue use pending vendor response (recommended if security-critical); (2) Implement API gateway authentication and authorization controls that enforce per-user dataset access restrictions independent of client-supplied DatasetId parameters-validate that the authenticated user has explicit permission to access each dataset before processing the request; (3) Network segmentation: restrict COCO Annotator API access to trusted internal networks only, blocking external and untrusted client access via firewall rules; (4) Add input validation and parameterized access control in backend code (if modifying source) to check user credentials and dataset ownership before returning or modifying dataset objects, ensuring DatasetId alone does not grant access; (5) Implement API request logging and alerting on suspicious DatasetId patterns or cross-user access attempts to detect exploitation attempts. Network restriction is the most effective immediate compensating control but limits usability for distributed teams.

Share

CVE-2026-7681 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy