Skip to main content

Axis OS CVE-2026-0541

| EUVDEUVD-2026-29382 MEDIUM
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-12 Axis GHSA-2x9f-6v5j-gfh7
6.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 12, 2026 - 08:01 EUVD
Analysis Generated
May 12, 2026 - 06:45 vuln.today
CVE Published
May 12, 2026 - 05:42 nvd
MEDIUM 6.7

DescriptionCVE.org

ACAP applications can gain elevated privileges due to improper input validation during the installation process, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

AnalysisAI

Axis OS allows privilege escalation via improper input validation during ACAP application installation when unsigned applications are permitted, enabling authenticated attackers with high privileges to gain elevated system access. The vulnerability requires explicit administrative configuration allowing unsigned ACAP installations and victim interaction to install a malicious application. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

ACAP (Axis Camera Application Platform) is Axis Communications' framework for third-party application development on embedded camera and edge devices. The vulnerability stems from CWE-732 (Incorrect Permission Assignment for Critical Resource), indicating that during the ACAP application installation process, file permissions or capability assignments are not properly validated. This allows a malicious ACAP package to inherit or escalate privileges beyond its intended scope when installed on a device configured to bypass cryptographic signature verification. The affected component is the application installation handler within Axis OS, which processes ACAP application packages during deployment.

RemediationAI

Axis should release a patched Axis OS version that enforces cryptographic signature validation on all ACAP applications regardless of device configuration settings, eliminating the ability to disable this control. Until patching is available, administrators must ensure that their Axis devices are configured with the highest application security policies: enforce mandatory ACAP application code signing verification, restrict ACAP installation capabilities to strictly necessary administrative roles, and disable or remove any configuration options that permit unsigned application installation. Additionally, implement administrative access controls limiting who can modify application security policies or install new applications, and educate personnel that ACAP installations should only occur from trusted, authenticated sources with cryptographic proof of origin. Refer to the Axis advisory at https://www.axis.com/dam/public/fa/50/c7/cve-2026-0541pdf-en-US-530730.pdf for definitive patching guidance and device-specific remediation.

CVE-2025-0324 CRITICAL
9.4 Jun 02

Privilege escalation in Axis VAPIX framework.

CVE-2025-0358 HIGH
8.8 Jun 02

Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, aut

CVE-2021-31988 HIGH
8.8 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the

CVE-2025-0359 HIGH
8.5 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Appli

CVE-2023-21415 HIGH
8.1 Oct 16

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa

CVE-2025-0360 HIGH
7.8 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi

CVE-2021-31987 HIGH
7.5 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b

CVE-2023-21413 HIGH
7.2 Oct 16

GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac

CVE-2025-11142 HIGH
7.1 Feb 10

The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio

CVE-2023-21418 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat

CVE-2023-21417 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab

CVE-2023-5553 MEDIUM
6.8 Nov 21

During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t

Share

CVE-2026-0541 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy