CVE-2026-12593

Qt · Axivion

The Axivion Dashboard API contains an authorization flaw that allows authenticated users to create API tokens for other users without the required permissions.

Executive summary

An authorization bypass vulnerability in the Axivion Dashboard API allows authenticated users to escalate privileges by generating tokens for other accounts.

Vulnerability

The vulnerability exists in an internal API endpoint (POST /api/users/~/{user}/tokens), which fails to perform proper authorization checks. An authenticated user can exploit this to create API tokens for other users, effectively bypassing access controls and gaining unauthorized access to other accounts.

Business impact

This vulnerability represents a significant risk to organizational security by enabling privilege escalation and account takeover. With a CVSS score of 8.7, it poses a high risk of unauthorized data access and potential administrative compromise within the Axivion environment, which could lead to severe operational disruption.

Remediation

Immediate Action: Update to one of the fixed releases: 7.9.13, 7.10.11, 7.11.7, or 7.12.2. Users on the 7.8.x branch must migrate to one of these supported, patched versions.

Proactive Monitoring: Audit API token generation logs for any suspicious activity where tokens are being created for users other than the authenticated requester.

Compensating Controls: Limit access to the Axivion Dashboard API to known, trusted IP addresses using a WAF or network-level access control list until patching is completed.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The ability to generate unauthorized API tokens constitutes a critical security failure. Organizations must prioritize the migration to a patched version, especially for users on legacy 7.8.x versions, to ensure robust protection against unauthorized access.