A high-severity persistent stored cross-site scripting (XSS) vulnerability exists in Humansignal's Label Studio, specifically in the custom_hotkeys functionality. The vulnerability affects versions 1.22.0 and earlier. An authenticated attacker, or one who can deceive a user or administrator into updating their custom_hotkeys, can inject malicious JavaScript code into the application. This code executes in the browsers of other users when they load any page using the templates/base.html template. The potential ramifications are severe, as the injected script can fetch the victim's API token or trigger token reset endpoints, leading to full account takeover and unauthorized access to APIs.
The vulnerability has a CVSS score of 8.6, indicating it is classified as high severity. This score reflects the potential impact on confidentiality and integrity, which are rated as high, while availability remains unaffected. The exploitation of this vulnerability requires low attack complexity and only low privileges, which increases the risk to organizations. Given the application's exposure of an API token endpoint to the browser and inadequate CSRF protection on some API endpoints, the urgency for remediation is significant.
Organizations should prioritize patching immediately. The vulnerability was published on January 12, 2026, and has since been analyzed. Users of Label Studio should ensure they are operating on versions above 1.22.0 to mitigate the risk associated with this vulnerability.
As of the latest information, no public exploit has been confirmed, and this vulnerability is not included in the Known Exploited Vulnerabilities (KEV) catalog. However, the low complexity of the attack and the high potential for exploitation warrant attention and immediate action.
Vulnerability Details
Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting (XSS) vulnerability exists in the custom_hotkeys functionality of the application. An authenticated attacker (or one who can trick a user/administrator into updating their custom_hotkeys) can inject JavaScript code that executes in other users’ browsers when those users load any page using the templates/base.html template. Because the application exposes an API token endpoint (/api/current-user/token) to the browser and lacks robust CSRF protection on some API endpoints, the injected script may fetch the victim’s API token or call token reset endpoints — enabling full account takeover and unauthorized API access.
The CVSS score for this vulnerability is 8.6, classified as high severity. The attack vector is network-based, with low complexity and low privileges required for exploitation. User interaction is not needed, making it easier for attackers to exploit the vulnerability. The confidentiality and integrity impacts are high, while availability is not affected.
Technical Analysis
The root cause of this vulnerability lies in the improper handling of user input in the custom_hotkeys functionality. Attackers can inject scripts that execute in the context of other users' sessions. The attack vector is through the application’s web interface, allowing an attacker to manipulate the data sent to the server. The attack complexity is low due to the straightforward nature of the XSS attack, requiring only that the attacker convinces a user to update their custom_hotkeys.
No elevated privileges are required, as the vulnerability can be exploited by authenticated users. Importantly, user interaction is not necessary for the attack to succeed, which increases its risk profile. The impact on confidentiality is significant, as attackers may gain access to sensitive API tokens, while the integrity of user sessions can also be compromised. The availability of the system remains unaffected, as the attack does not disrupt service but rather enables unauthorized access.
Risk & Impact Analysis
The deployment of this vulnerability poses serious risks to organizations using Label Studio. The ability for attackers to execute scripts in the context of other users significantly increases the blast radius of potential attacks. Organizations may face unauthorized access to sensitive data, which can lead to compliance violations and damage to reputation. The risk is heightened by the fact that the exploitation does not require advanced skills or significant resources, making it accessible to a broader range of attackers.
Given the CVSS score of 8.6 and the factors involved, organizations should address this vulnerability in their priority patch cycle. The potential for exploitation is significant, and the implications of an attack could be severe, leading to financial loss and legal consequences.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
The affected product is Label Studio, specifically versions 1.22.0 and earlier. Organizations should ensure they upgrade to the latest version to mitigate this vulnerability.
Mitigation & Remediation
To mitigate this vulnerability, organizations should immediately upgrade to the latest version of Label Studio, which addresses the XSS issue. Continuous security testing can help identify similar weaknesses in applications. For further guidance, organizations may refer to the penetration testing services to validate their security posture.
Detection Guidance
Organizations should monitor logs for any unusual API token requests or suspicious activities in user sessions. Behavioral anomalies, such as sudden changes in user behavior or unauthorized API access, should also be flagged for investigation. Additionally, network signatures that correspond to the exploitation of this vulnerability should be established to enhance detection capabilities.
AppSecure Threat Intelligence Insight
The persistence of XSS vulnerabilities like CVE-2026-22033 underscores the need for robust security practices in web applications. As attackers become increasingly sophisticated, security teams must prioritize the implementation of secure coding practices and regular security assessments. Notably, the pattern of exploiting user input vulnerabilities is a trend that continues to evolve. Organizations should focus on implementing comprehensive security measures, including secure coding standards and continuous security assessments.
For further insights on security practices, organizations can refer to our blog on penetration testing methodology and the importance of regular security assessments.
Moreover, the lessons learned from vulnerabilities like this should inform the development of security training programs for development teams. Investing in security education can significantly reduce the risk of similar vulnerabilities being introduced in the future. For ongoing support in securing applications, organizations may explore our application security assessment services.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)