Added

• [CLI] Added an Author-email field to the package metadata (#10143)

Changed

• [CLI] Replaced the deprecated Home-page field and license classifier with Project-URL and License-Expression fields, respectively (#10143)

Fixed

• Сonsecutive slicing of shapes without press Escape key (#10107)

• Inability to access some tasks with videos with bad keyframes (#10152)

• Related image display in tasks from the attached file share (#10153)

Changed

• [Server API] TUS upload endpoints no longer accept requests with no Content-Length header (#10098)

• [SDK] Package metadata no longer uses the deprecated Home-page and License fields (#10125)

Fixed

• Image scaling was not applied when image filter is enabled (#10111)

• Fixed TUS resumable upload validation to properly reject chunks that would exceed the declared file size (#10102)

• [SDK] Removed the redundant setuptools runtime dependency (#10125)

Security

• Fixed a directory traversal vulnerability in the /api/server/share endpoint (GHSA-3g7v-xjh7-xmqx)

Added

• Video chapters now can be displayed in the frame player and can be used for frame navigation during annotation. (#9924)

• "Return to Previous Page" button on Task, Project, Job, and Cloud Storage Not Found pages (#10028)

• Double click on a shape in 2D or 3D workspace now fits the shape into scene (#10108)

• Parameter "Control points size" now have effect for points on 3D canvas (#10119)

Changed

• It is now possible to back up tasks created from a mounted file share that use static chunk storage (#9972)

• Updated Nuclio to 1.15.9 (#10091)

• Reduced RAM usage on track export (#10041)

• Better zoom-in, zoom-out algorithm on side views of 3D canvas (#10109)

• Last zoom value on side cameras of 3D canvas memoized per object and restored when object reselected (#10110)

• Settings AAM Zoom Margin is now more general and responsible for paddings around focused objects (#10108)

• Improved algorithm for default zoom on side views of 3D canvas (#10120)

Removed

• SiamMask and some OpenVINO-based functions (#10091)

Fixed

• Backups of tasks created from a mounted file share no longer fail to import. Note that backups of such tasks created by previous versions of CVAT still cannot be imported (#9972)

• Heavyweight backups created from tasks using cloud storage that have images as frames and non-default start frame, stop frame or frame step settings no longer fail to import. Note that the fix is for backup creation; as such, CVAT will still not be able to import backups of such tasks created by previous versions (#10004)

• [CLI] Fixed a truncated error message that could be printed when running an agent for a remote function missing a (sub)label from the loaded AA function (#10070)

• Fixed creation of tasks from images in cloud storage without a manifest that use static chunks and a custom frame range (#10079)

• Low visibility of object details over canvas if background or image is dark (#10105)

• Weird camera behaviour when layout of 3D canvas gets resized (#10117)

Added

• Documentation for using Backblaze B2 as an S3-compatible cloud storage option in CVAT (#9952)

Changed

• Relaxed video manifest creation to make use of keyframes even if seek lands earlier (#9994)

Removed

• Python 3.9 support (due to Python 3.9 EOL) (#10051)

Fixed

• Fixed OpenAPI schema for retrieve_data endpoints: marked type parameter as required for both tasks and jobs API (#9315)

• Calculation of statistics in the job is failed when there is a track without keyframes (#10050)

• Update the updated_date field of the Task when PATCHing /api/tasks/<id>/data/meta (#10052)

• Incorrect retry handling of 429 TooManyRequests error in case of data uploading via TUS protocol (#10055)

• Error message is not displayed if not possible to fetch data for 3D canvas (#10059)

Added

• [Helm] Kvrocks PVC configuration via annotations (#10021)

• Added kvrocks PVC VolumeAttributeClass support (#10026)

• Added VolumeAttributesClass creation to public chart (#10030)

Changed

• Change expiration date format view in 'Security' -> 'Create API Token' from default ISO to DD/MM/YYYY so that it matches the dates in the token table (#9975)

• Files located in the data/tasks/<id> directory are no longer included in task backups, nor extracted from such backups when restoring. Recent versions of CVAT (since v2.6.2) no longer create or use such files (#10001)

• Updated Traefik to v3.6.x (#10018)

Fixed

• Excessive GET /api/users requests on task page for each assigned job (#9989)

• Actions menu can be opened twice on different resource cards: Projects, Jobs, Cloud storages, etc. (#9986)

• Quality conflicts can now be displayed in the review mode of consensus replicas (#10022)

• Fixed cloud storage status. Unavailable storages now return NOT_FOUND status instead of 400 Bad Request (#10011)

Added

• Helm charts are now available on Docker Hub, at https://hub.docker.com/r/cvat/cvat (#9925)

Changed

• Admins will no longer see access tokens of other users on the token management page (#9950)

Removed

• [Server API] Removed GOOGLE_DRIVE from the list of accepted cloud storage provider types; it has never been implemented (#9928)

• [Server API] Only own access tokens will be returned in the GET /api/auth/access_tokens responses for everyone, including admins (#9950)

• [Server API] The owner filters are removed from the GET /api/auth/access_tokens endpoint (#9950)

• [Server API] The redundant storage parameter of the POST /api/tasks/<id>/data endpoint has been removed; the storage location is determined based on other parameters (GHSA-x396-w86c-gf6w)

Fixed

• Improved memory use in project dataset exports (#9913)

• Aligned the names of cloud storage services in the UI with their official names (#9961)

• Improved performance of access token editing page in the admin panel (#9971)

• Incorrect chunk creation for some video files after FFmpeg update (#9974)

Security

• Fixed a vulnerability that let users write to the attached network share (GHSA-x396-w86c-gf6w)

Removed

• It is no longer possible to upgrade directly from CVAT releases prior to v2.0.0 (#9930)

Fixed

• UI crush on failed GET /api/server/annotation/formats request (#9927)

Added

• [CLI] CVAT_ACCESS_TOKEN environment variable can now be used for authentication with an API token (#9563)

• [SDK] Client.login() and make_client() can now be called with an API token (#9563)

• [SDK] make_client() can now be called with a server URL that contains a port component (#9563)

• [Server API] Support for API access tokens (#9680)

• [Server] A configuration option to set maximum job limit per task (#9888)

Fixed

• Tracks does not leak to other jobs on task export (#9905)

• Incorrect cloud storage value in tasks within a project after transferring between organizations (#9912)

• Inefficient memory usage when counting number of objects in tracks when updating job annotations or analytics report computing (#9903)

Added

• Made disk usage health check threshold configurable and updated documentation (#9870)

Changed

• FFmpeg updated to 8.0 (#9552)

• [SDK] Enabled retrying on some server error statuses by default (#9880)

Fixed

• Improved performance of task creation from cloud without manifest (#9827)

Security

• Bump Redis version to 7.2.11 to address CVE-2025-49844 (#9876)