Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
AnalysisAI
Axis OS allows privilege escalation via improper input validation during ACAP application installation when unsigned applications are permitted, enabling authenticated attackers with high privileges to gain elevated system access. The vulnerability requires explicit administrative configuration allowing unsigned ACAP installations and victim interaction to install a malicious application. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
ACAP (Axis Camera Application Platform) is Axis Communications' framework for third-party application development on embedded camera and edge devices. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating that during the ACAP application installation process, file permissions or capability assignments are not properly validated. This allows a malicious ACAP package to inherit or escalate privileges beyond its intended scope when installed on a device configured to bypass cryptographic signature verification. The affected component is the application installation handler within Axis OS, which processes ACAP application packages during deployment.
RemediationAI
Axis should release a patched Axis OS version that enforces cryptographic signature validation on all ACAP applications regardless of device configuration settings, eliminating the ability to disable this control. Until patching is available, administrators must ensure that their Axis devices are configured with the highest application security policies: enforce mandatory ACAP application code signing verification, restrict ACAP installation capabilities to strictly necessary administrative roles, and disable or remove any configuration options that permit unsigned application installation. Additionally, implement administrative access controls limiting who can modify application security policies or install new applications, and educate personnel that ACAP installations should only occur from trusted, authenticated sources with cryptographic proof of origin. Refer to the Axis advisory at https://www.axis.com/dam/public/fa/50/c7/cve-2026-0541pdf-en-US-530730.pdf for definitive patching guidance and device-specific remediation.
Privilege escalation in Axis VAPIX framework.
Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, aut
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Appli
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b
GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29382
GHSA-2x9f-6v5j-gfh7