CVE-2026-12593
Received Received - Intake

Privilege Escalation in Dashboard API Token Creation

Vulnerability report for CVE-2026-12593, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: TQtC

Description

The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user (with more privileges than the attacker), the attacker knowing its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker would then have had to forge a token creation API request on behalf of the other user and could have authenticated and finalized the token creation with their own OAuth/OIDC credentials. In the worst case, this would mean an attacker could have become Dashboard Administrator and been able to perform all administrative actions if the preexisting internal user had administrative privileges. In combination with a separate weakness, this could have further led to code execution on the host system running the Dashboard with the privileges of the OS-User running the Dashboard server.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
axivion dashboard From 7.8.5 (inc) to 7.8.12 (inc)
axivion dashboard From 7.9.0 (inc) to 7.9.12 (inc)
axivion dashboard From 7.10.0 (inc) to 7.10.10 (inc)
axivion dashboard From 7.11.0 (inc) to 7.11.6 (inc)
axivion dashboard From 7.12.0 (inc) to 7.12.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to escalate privileges to become a Dashboard Administrator, potentially leading to arbitrary code execution on the host system. Such unauthorized privilege escalation and potential system compromise can result in unauthorized access to sensitive data and administrative functions.

Consequently, this could impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. Failure to prevent unauthorized access and privilege escalation may lead to violations of these regulations.

Executive Summary

This vulnerability is a Missing Authorization flaw in the Dashboard OAuth/OIDC implementation of Axivion products. It occurs because an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) does not properly check if a request to create an API token for another user has sufficient permissions.

To exploit this, an attacker needs to know the login name of a preexisting internal user with more privileges and be able to authenticate to the Dashboard via OAuth/OIDC. The attacker can then forge a token creation request on behalf of that user and finalize the token creation using their own OAuth/OIDC credentials.

In the worst case, this allows the attacker to escalate their privileges to become a Dashboard Administrator, gaining the ability to perform all administrative actions.

Additionally, combined with another weakness, this could lead to arbitrary code execution on the host system running the Dashboard with the privileges of the operating system user running the Dashboard server.

Impact Analysis

This vulnerability can have severe impacts including unauthorized privilege escalation to Dashboard Administrator level.

An attacker exploiting this flaw could perform all administrative actions within the Dashboard, potentially compromising the entire system managed by the Dashboard.

In the worst scenario, it could lead to arbitrary code execution on the host system running the Dashboard, which means the attacker could execute malicious code with the same privileges as the Dashboard server's operating system user.

Detection Guidance

This vulnerability involves an undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) that allows privilege escalation via OAuth/OIDC authentication. Detection would involve monitoring for unauthorized or suspicious POST requests to this endpoint, especially those attempting to create API tokens for other users.

Network or system administrators can look for unusual API token creation requests in their logs or use network monitoring tools to detect POST requests to the /api/users/~/{user}/tokens endpoint from authenticated users who should not have such privileges.

Specific commands depend on the environment and logging setup, but examples include:

  • Using grep or similar tools on server logs to find POST requests to the vulnerable endpoint, e.g., `grep 'POST /api/users/~/' /var/log/dashboard_access.log`
  • Using network monitoring tools like tcpdump or Wireshark to filter HTTP POST requests to the API endpoint, e.g., `tcpdump -A -s 0 'tcp port 443 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/users/~/'`
  • Checking OAuth/OIDC authentication logs for suspicious token creation activities or unusual privilege escalations.
Mitigation Strategies

The primary mitigation is to upgrade the affected Axivion Dashboard software to a fixed version. The vulnerability has been fixed in Axivion versions 7.9.13, 7.10.11, 7.11.7, and 7.12.2 or later.

Until the upgrade can be applied, restrict access to the Dashboard API endpoint to trusted users only and monitor for suspicious API token creation requests.

Additionally, review and tighten OAuth/OIDC authentication and authorization policies to ensure that users cannot forge token creation requests on behalf of other users.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12593. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart