CVE-2026-0804
Path Traversal in Axis ACAP Configuration
Publication date: 2026-05-12
Last updated on: 2026-05-12
Assigner: Axis Communications AB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axis | axis_os | From 12.0.0 (inc) to 12.10.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-35 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '.../...//' (doubled triple dot slash) sequences that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-0804 is a vulnerability found in AXIS OS versions 12.0.0 through 12.10.3 involving insufficient input validation in an ACAP configuration file.
This flaw could allow a path traversal attack, which means an attacker might be able to access files and directories outside the intended scope.
If exploited, this could lead to privilege escalation, giving the attacker higher-level access on the device.
However, exploitation requires the device to be configured to allow installation of unsigned ACAP applications and for an attacker to trick a victim into installing a malicious ACAP application.
How can this vulnerability impact me? :
If exploited, this vulnerability can lead to privilege escalation on the affected Axis device.
This means an attacker could gain higher-level access than intended, potentially allowing them to control or manipulate the device.
Such control could compromise the security and integrity of the device and any systems it interacts with.
However, exploitation requires specific conditions: the device must allow unsigned ACAP applications and the attacker must convince a user to install a malicious application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There are no known public exploits or specific detection commands available for this vulnerability at this time.
Detection would primarily involve verifying if the Axis device is configured to allow the installation of unsigned ACAP applications, as exploitation requires this setting.
Additionally, monitoring for installation of any unsigned or suspicious ACAP applications on the device could help identify potential exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Axis device software to the latest version, specifically to Active Track 12.10.4 or later, where the patch addressing this vulnerability has been released.
If updating immediately is not possible, ensure that the device is not configured to allow the installation of unsigned ACAP applications, as this configuration is required for exploitation.
Users should also avoid installing ACAP applications from untrusted sources to prevent malicious application installation.