Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
AnalysisAI
Privilege escalation in Axis OS via path traversal in ACAP configuration files allows high-privileged local attackers to achieve code execution with elevated permissions. The vulnerability requires the device to be configured for unsigned ACAP application installation and the attacker to socially engineer a user into installing a malicious ACAP application. CVSS 6.7 reflects high confidentiality, integrity, and availability impact, but exploitation is constrained by high-privilege requirement and user interaction. No public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
Axis Communications devices run Axis OS and support ACAP (Axis Camera Application Platform) for third-party application deployment. ACAP configuration files are processed during application installation and undergo insufficient input validation. An attacker can craft a malicious ACAP package containing a configuration file with path traversal sequences (e.g., '../../../') that escape the intended application sandbox or installation directory. This CWE-35 path traversal vulnerability allows the attacker to read, write, or modify files outside the application's permitted scope, including system files and binaries, leading to privilege escalation. The attack surface is narrowed by the requirement for unsigned application installation mode (a non-default configuration) and the need for a privileged user (PR:H in CVSS vector) to authorize the malicious application installation.
RemediationAI
Axis Communications has released a security advisory at https://www.axis.com/dam/public/51/64/ea/cve-2026-0804pdf-en-US-530732.pdf detailing patched firmware versions. Apply the recommended firmware update to all affected Axis devices without delay. As a critical compensating control, disable unsigned ACAP application installation on all Axis devices unless explicitly required for operations; this prevents the attack vector entirely by enforcing signed-application-only mode. Additionally, restrict ACAP installation permissions to a minimal set of administrative accounts and educate administrators not to install ACAP applications from untrusted sources. Organizations already running in signed-application-only mode do not need to prioritize this patch unless other vulnerabilities affect their deployment.
Privilege escalation in Axis VAPIX framework.
Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, aut
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to add the
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Appli
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API overlay_del.cgi is vulnerable to pa
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Devi
A user controlled parameter related to SMTP test functionality is not correctly validated making it possible to bypass b
GoSecure on behalf of Genetec Inc. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attac
The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code executio
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API irissetup.cgi was vulnerable to pat
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API manageoverlayimage.cgi was vulnerab
During internal Axis Security Development Model (ASDM) threat-modelling, a flaw was found in the protection for device t
Same weakness CWE-35 – Path Traversal: '.../...//'
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29385
GHSA-wjg9-57qr-c8p4