Back to overview

CVE-2026-12593

HIGH
8.7
CVSS 4.0
Description
The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user (with more privileges than the attacker), the attacker knowing its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker would then have had to forge a token creation API request on behalf of the other user and could have authenticated and finalized the token creation with their own OAuth/OIDC credentials. In the worst case, this would mean an attacker could have become Dashboard Administrator and been able to perform all administrative actions if the preexisting internal user had administrative privileges. In combination with a separate weakness, this could have further led to code execution on the host system running the Dashboard with the privileges of the OS-User running the Dashboard server.

Metadata

CVE ID
CVE-2026-12593
State
PUBLISHED
Assigner
TQtC
Reserved
2026-06-18 09:26 UTC
Published
2026-07-09 12:29 UTC
Last updated
2026-07-09 12:29 UTC
Primary CWE
CWE-862
CWE-862 Missing Authorization
Vendor / Product
Qt / Axivion
Sources
cve.org  ·  NVD

Severity & Metrics

8.7 HIGH CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
Affected products (1)
VendorProductPlatformVersions
Qt Axivion 7.8.5 ≤ 7.8.12, 7.9.0 < 7.9.13, 7.10.0 < 7.10.11, 7.11.0 < 7.11.7 …
Weakness (CWE)
CWESourceDescription
CWE-862 cna CWE-862 Missing Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
8.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
References (1)
Back to overview