Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A security vulnerability has been detected in jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an unknown functionality of the file backend/webserver/api/datasets.py of the component Dataset API. The manipulation of the argument DatasetId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Authorization bypass in jsbroks COCO Annotator up to version 0.11.1 allows remote unauthenticated attackers to modify dataset parameters via manipulation of the DatasetId argument in the Dataset API endpoint backend/webserver/api/datasets.py, enabling unauthorized access to and modification of annotation datasets. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.
Technical ContextAI
The vulnerability exists in the Dataset API component of COCO Annotator, a collaborative image annotation tool. The affected file backend/webserver/api/datasets.py handles dataset management operations through REST API endpoints. The root cause is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that the application uses user-supplied input (DatasetId parameter) to determine access control decisions without proper validation of the requester's permissions. The vulnerability suggests the API endpoint trusts client-supplied dataset identifiers to validate ownership or authorization, allowing attackers to reference and manipulate datasets belonging to other users or projects by simply modifying the DatasetId value in their requests.
RemediationAI
No vendor-released patch identified at time of analysis due to vendor non-response to disclosure. Immediate remediation options include: (1) Upgrade from COCO Annotator or discontinue use pending vendor response (recommended if security-critical); (2) Implement API gateway authentication and authorization controls that enforce per-user dataset access restrictions independent of client-supplied DatasetId parameters-validate that the authenticated user has explicit permission to access each dataset before processing the request; (3) Network segmentation: restrict COCO Annotator API access to trusted internal networks only, blocking external and untrusted client access via firewall rules; (4) Add input validation and parameterized access control in backend code (if modifying source) to check user credentials and dataset ownership before returning or modifying dataset objects, ensuring DatasetId alone does not grant access; (5) Implement API request logging and alerting on suspicious DatasetId patterns or cross-user access attempts to detect exploitation attempts. Network restriction is the most effective immediate compensating control but limits usability for distributed teams.
More in Coco Annotator
View allA vulnerability, which was classified as problematic, was found in jsbroks COCO Annotator 0.11.1. Rated medium severity
Coco Annotator versions up to 0.11.1. is affected by improper resource shutdown or release (CVSS 5.3).
Coco Annotator through version 0.11.1 contains an authorization bypass in the Delete Category Handler endpoint (/api/und
Path traversal in jsbroks COCO Annotator up to version 0.11.1 allows authenticated remote attackers to access arbitrary
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26817