Description
An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Published: 2026-05-12
Score: 6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from insufficient input validation in an ACAP configuration file. An attacker can inject arbitrary commands, potentially enabling privilege escalation on the device. This flaw is identified as CWE-1287, a problem with untrusted input handling.

Affected Systems

Axis Communications AB Axis OS devices are impacted. No specific version information is provided; the issue applies wherever unsigned ACAP application installations are allowed.

Risk and Exploitability

The CVSS score of 6.0 indicates a medium severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed public exploits yet. Exploitation requires the device to permit unsigned ACAP installations and an attacker convincing a user to install a malicious ACAP. The likely attack vector therefore involves social engineering combined with configuration exploitation, making it less likely to be widely automated but still a concern for exposed or misconfigured devices.

Generated by OpenCVE AI on May 12, 2026 at 07:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable the installation of unsigned ACAP applications in the device settings.
  • Only install ACAP applications that are signed and from trusted vendors.
  • Apply any vendor security updates or patches for Axis OS as soon as they become available.

Generated by OpenCVE AI on May 12, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Axis
Axis axis Os
CPEs cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*
Vendors & Products Axis
Axis axis Os

Tue, 12 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 07:45:00 +0000

Type Values Removed Values Added
Title Command Injection via ACAP Configuration Leading to Privilege Escalation in Axis OS
First Time appeared Axis Communications Ab
Axis Communications Ab axis Os
Vendors & Products Axis Communications Ab
Axis Communications Ab axis Os

Tue, 12 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.
Weaknesses CWE-1287
References
Metrics cvssV3_1

{'score': 6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Axis Axis Os
Axis Communications Ab Axis Os
cve-icon MITRE

Status: PUBLISHED

Assigner: Axis

Published:

Updated: 2026-05-13T03:57:50.980Z

Reserved: 2026-01-09T06:42:03.922Z

Link: CVE-2026-0802

cve-icon Vulnrichment

Updated: 2026-05-12T13:08:03.548Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T07:16:09.460

Modified: 2026-05-19T16:05:03.773

Link: CVE-2026-0802

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T07:30:10Z

Weaknesses