Cyber Resilience

CVE-2026-2109

MediumPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-2109 is a medium-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Jsbroks Coco Annotator. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-2109 is an improper authorization vulnerability in jsbroks COCO Annotator versions up to 0.11.1. It affects an unknown function within the /api/undo/ endpoint of the Delete Category Handler component, where manipulation of the ID argument enables unauthorized actions. The issue is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-285 (Improper Authorization), with a CVSS 3.1 base score of 5.4 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).

Remote attackers with low privileges, such as authenticated users, can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation allows limited impacts on integrity and availability, potentially enabling unauthorized deletions or modifications via the undo mechanism, though confidentiality remains unaffected.

Advisories from VulDB detail the issue and reference a public exploit in a GitHub vulnerability research repository. The vendor was contacted early regarding disclosure but provided no response, and no patches or official mitigations are available.

The exploit is publicly available and might be used in attacks. The vulnerability was published on 2026-02-07.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be…

more

launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authorization (CWE-266/285) on authenticated API endpoint enables privilege escalation via ID manipulation for unauthorized deletions; public web app exposure supports remote exploitation of public-facing service.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-2108Same product: Jsbroks Coco Annotator
CVE-2026-3263Shared CWE-266, CWE-285
CVE-2026-2078Shared CWE-266, CWE-285
CVE-2026-2015Shared CWE-266, CWE-285
CVE-2026-3265Shared CWE-266, CWE-285
CVE-2026-1550Shared CWE-266, CWE-285
CVE-2026-1141Shared CWE-266, CWE-285
CVE-2026-2141Shared CWE-266, CWE-285
CVE-2025-10389Shared CWE-266, CWE-285
CVE-2026-3762Shared CWE-266, CWE-285

Affected Assets

jsbroks
coco annotator
≤ 0.11.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks on the ID argument at /api/undo/ so that only permitted users can invoke Delete Category actions.

prevent

Requires that every authenticated user operate with the minimal privileges needed, eliminating the incorrect privilege assignment that lets low-privileged accounts delete categories via undo.

prevent

Ensures access-control decisions are made and enforced at the policy decision point before the undo handler processes the supplied ID.

References