Skip to main content

Axis OS EUVDEUVD-2026-29385

| CVE-2026-0804 MEDIUM
Path Traversal: '.../...//' (CWE-35)
2026-05-12 Axis GHSA-wjg9-57qr-c8p4
6.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 12, 2026 - 08:01 EUVD
Analysis Generated
May 12, 2026 - 06:45 vuln.today
CVE Published
May 12, 2026 - 05:46 nvd
MEDIUM 6.7

DescriptionCVE.org

An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

AnalysisAI

Privilege escalation in Axis OS via path traversal in ACAP configuration files allows high-privileged local attackers to achieve code execution with elevated permissions. The vulnerability requires the device to be configured for unsigned ACAP application installation and the attacker to socially engineer a user into installing a malicious ACAP application. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but exploitation is constrained by high-privilege requirement and user interaction. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Axis Communications devices run Axis OS and support ACAP (Axis Camera Application Platform) for third-party application deployment. ACAP configuration files are processed during application installation and undergo insufficient input validation. An attacker can craft a malicious ACAP package containing a configuration file with path traversal sequences (e.g., '../../../') that escape the intended application sandbox or installation directory. This CWE-35 path traversal vulnerability allows the attacker to read, write, or modify files outside the application's permitted scope, including system files and binaries, leading to privilege escalation. The attack surface is narrowed by the requirement for unsigned application installation mode (a non-default configuration) and the need for a privileged user (PR:H in CVSS vector) to authorize the malicious application installation.

RemediationAI

Axis Communications has released a security advisory at https://www.axis.com/dam/public/51/64/ea/cve-2026-0804pdf-en-US-530732.pdf detailing patched firmware versions. Apply the recommended firmware update to all affected Axis devices without delay. As a critical compensating control, disable unsigned ACAP application installation on all Axis devices unless explicitly required for operations; this prevents the attack vector entirely by enforcing signed-application-only mode. Additionally, restrict ACAP installation permissions to a minimal set of administrative accounts and educate administrators not to install ACAP applications from untrusted sources. Organizations already running in signed-application-only mode do not need to prioritize this patch unless other vulnerabilities affect their deployment.

CVE-2025-0324 CRITICAL
9.4 Jun 02

Privilege escalation in Axis VAPIX framework.

CVE-2025-0358 HIGH
8.8 Jun 02

Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, aut

CVE-2021-31988 HIGH
8.8 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the

CVE-2025-0359 HIGH
8.5 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Appli

CVE-2023-21415 HIGH
8.1 Oct 16

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa

CVE-2025-0360 HIGH
7.8 Mar 04

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi

CVE-2021-31987 HIGH
7.5 Oct 05

A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b

CVE-2023-21413 HIGH
7.2 Oct 16

GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac

CVE-2025-11142 HIGH
7.1 Feb 10

The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio

CVE-2023-21418 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat

CVE-2023-21417 HIGH
7.1 Nov 21

Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab

CVE-2023-5553 MEDIUM
6.8 Nov 21

During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t

Share

EUVD-2026-29385 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy