CVE-2026-0802
Analyzed Analyzed - Analysis Complete
ACAP Command Injection in Axis Devices

Publication date: 2026-05-12

Last updated on: 2026-05-19

Assigner: Axis Communications AB

Description
An ACAP configuration file lacked sufficient input validation, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install aΒ malicious ACAP application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-12
Last Modified
2026-05-19
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-0802
EUVD
EUVD-2026-29384
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
axis axis_os From 12.0.0 (inc) to 12.9.33 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-0802 vulnerability affects Axis OS versions 12.0.0 to 12.9.32 and involves insufficient input validation in an ACAP configuration file.

This lack of proper input validation could allow an attacker to perform command injection, which may lead to privilege escalation on the affected device.

However, exploitation requires that the Axis device is configured to allow the installation of unsigned ACAP applications and that the attacker convinces the victim to install a malicious ACAP application.

Impact Analysis

If exploited, this vulnerability could allow an attacker to execute arbitrary commands on the device and escalate their privileges.

This could compromise the security and integrity of the Axis device, potentially allowing unauthorized control or access to sensitive functions.

The impact is mitigated if the device does not allow unsigned ACAP applications or if users do not install malicious ACAP apps.

Detection Guidance

This vulnerability involves insufficient input validation in an ACAP configuration file on Axis OS devices that allow the installation of unsigned ACAP applications. Detection would require checking if the device is configured to permit unsigned ACAP applications and whether any malicious ACAP applications have been installed.

No specific detection commands or tools are provided in the available information. Since no known public exploits exist and Axis is unaware of any active exploitation, monitoring for unauthorized ACAP application installations and reviewing device configuration settings related to ACAP application signing is recommended.

Mitigation Strategies

To mitigate this vulnerability, users should update their Axis device software to the patched version Active Track 12.9.33 or later, as released by Axis.

Additionally, ensure that the device is not configured to allow the installation of unsigned ACAP applications, as this setting is required for exploitation.

If further assistance is needed, users can consult the Axis vulnerability management portal or contact Axis technical support.

Compliance Impact

The provided information does not specify how the CVE-2026-0802 vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0802. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart