SB2026052129 - Path traversal in Computer Vision Annotation Tool (CVAT)

Description

This security bulletin contains information about 1 vulnerability.

1) Path traversal (CVE-ID: CVE-2026-47682)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to overwrite arbitrary files on the server's filesystem.

The vulnerability exists due to path traversal in the cloud storage import handling when processing files from an added cloud storage. A remote user can place a crafted file path in cloud storage content to overwrite arbitrary files on the server's filesystem.

Exploitation requires write access to a cloud storage added to the instance, or the ability to add a new cloud storage.

Remediation

Install update from vendor's website.

References

• https://github.com/cvat-ai/cvat/security/advisories/GHSA-6f87-4g86-p9gw
• https://github.com/cvat-ai/cvat/commit/6fda3e3285a185ae50039d1af8c8f0e9319b671c