CVE-2026-0802
ACAP Command Injection in Axis Devices
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Axis Communications AB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axis | axis_os | From 12.0.0 (inc) to 12.9.32 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-0802 vulnerability affects Axis OS versions 12.0.0 to 12.9.32 and involves insufficient input validation in an ACAP configuration file.
This lack of proper input validation could allow an attacker to perform command injection, which may lead to privilege escalation on the affected device.
However, exploitation requires that the Axis device is configured to allow the installation of unsigned ACAP applications and that the attacker convinces the victim to install a malicious ACAP application.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker to execute arbitrary commands on the device and escalate their privileges.
This could compromise the security and integrity of the Axis device, potentially allowing unauthorized control or access to sensitive functions.
The impact is mitigated if the device does not allow unsigned ACAP applications or if users do not install malicious ACAP apps.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insufficient input validation in an ACAP configuration file on Axis OS devices that allow the installation of unsigned ACAP applications. Detection would require checking if the device is configured to permit unsigned ACAP applications and whether any malicious ACAP applications have been installed.
No specific detection commands or tools are provided in the available information. Since no known public exploits exist and Axis is unaware of any active exploitation, monitoring for unauthorized ACAP application installations and reviewing device configuration settings related to ACAP application signing is recommended.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should update their Axis device software to the patched version Active Track 12.9.33 or later, as released by Axis.
Additionally, ensure that the device is not configured to allow the installation of unsigned ACAP applications, as this setting is required for exploitation.
If further assistance is needed, users can consult the Axis vulnerability management portal or contact Axis technical support.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the CVE-2026-0802 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.