CVE-2026-12593
Qt · Axivion
The Axivion Dashboard API contains an authorization flaw that allows authenticated users to create API tokens for other users without the required permissions.
Executive summary
An authorization bypass vulnerability in the Axivion Dashboard API allows authenticated users to escalate privileges by generating tokens for other accounts.
Vulnerability
The vulnerability exists in an internal API endpoint (POST /api/users/~/{user}/tokens), which fails to perform proper authorization checks. An authenticated user can exploit this to create API tokens for other users, effectively bypassing access controls and gaining unauthorized access to other accounts.
Business impact
This vulnerability represents a significant risk to organizational security by enabling privilege escalation and account takeover. With a CVSS score of 8.7, it poses a high risk of unauthorized data access and potential administrative compromise within the Axivion environment, which could lead to severe operational disruption.
Remediation
Immediate Action: Update to one of the fixed releases: 7.9.13, 7.10.11, 7.11.7, or 7.12.2. Users on the 7.8.x branch must migrate to one of these supported, patched versions.
Proactive Monitoring: Audit API token generation logs for any suspicious activity where tokens are being created for users other than the authenticated requester.
Compensating Controls: Limit access to the Axivion Dashboard API to known, trusted IP addresses using a WAF or network-level access control list until patching is completed.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The ability to generate unauthorized API tokens constitutes a critical security failure. Organizations must prioritize the migration to a patched version, especially for users on legacy 7.8.x versions, to ensure robust protection against unauthorized access.