Skip to main content

Axis OS EUVDEUVD-2026-29384

| CVE-2026-0802 MEDIUM
Improper Validation of Specified Type of Input (CWE-1287)
2026-05-12 Axis GHSA-v86x-m45w-rqrq
6.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.0 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
May 12, 2026 - 08:01 EUVD
Analysis Generated
May 12, 2026 - 06:45 vuln.today
CVE Published
May 12, 2026 - 05:44 nvd
MEDIUM 6.0

DescriptionCVE.org

An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

AnalysisAI

Command injection in Axis OS ACAP configuration file processing allows privilege escalation when unsigned ACAP applications are enabled and a user installs a malicious application. The vulnerability requires high-privileged user interaction and local access but bypasses normal code signing protections to achieve code execution with elevated privileges.

Technical ContextAI

ACAP (Axis Camera Application Platform) is Axis Communications' application framework for embedded devices. The vulnerability stems from insufficient input validation (CWE-1287: Improper Neutralization of Special Elements used in a Command) in how ACAP configuration files are parsed and processed. When an unsigned ACAP application is installed on a device configured to permit such installations, a malicious actor can inject shell commands into the configuration file. The Axis OS then executes these commands during ACAP initialization or operation, potentially with elevated privileges. The attack surface is limited by the requirement to disable code-signing verification and convince a high-privileged user to install the malicious application.

RemediationAI

Update Axis OS to the patched version specified by Axis Communications. The primary mitigation is to enforce the default security configuration: disable the installation of unsigned ACAP applications via device administration settings. This eliminates the attack vector entirely and should be the standard configuration except in controlled development environments. Organizations requiring unsigned ACAP capability should implement compensating controls including: restrict ACAP installation to authenticated administrators with multi-factor authentication, audit all ACAP installation activity, and perform security scanning of custom ACAP binaries before deployment. Consult the Axis advisory at https://www.axis.com/dam/public/67/b8/75/cve-2026-0802pdf-en-US-530731.pdf for the exact patched OS version and deployment instructions.

CVE-2025-0324 CRITICAL
9.4 Jun 02

Privilege escalation in Axis VAPIX framework.

CVE-2025-0358 HIGH
8.8 Jun 02

Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, aut

CVE-2021-31988 HIGH
8.8 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the

CVE-2025-0359 HIGH
8.5 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Appli

CVE-2023-21415 HIGH
8.1 Oct 16

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa

CVE-2025-0360 HIGH
7.8 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi

CVE-2021-31987 HIGH
7.5 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b

CVE-2023-21413 HIGH
7.2 Oct 16

GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac

CVE-2025-11142 HIGH
7.1 Feb 10

The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio

CVE-2023-21418 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat

CVE-2023-21417 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab

CVE-2023-5553 MEDIUM
6.8 Nov 21

During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t

Share

EUVD-2026-29384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy