Unauthorized Token Creation in Dashboard API for Qt Products
CVE-2026-12593
What is CVE-2026-12593?
This vulnerability arises from an undocumented internal Dashboard API endpoint that fails to verify sufficient user permissions for creating API tokens on behalf of another user. By exploiting this weakness, a malicious actor with knowledge of a more privileged user's login credentials could forge a token creation request. If successful, the attacker could authenticate as that user, potentially gaining administrative access to the Dashboard. In scenarios where the target user holds administrative privileges, the attacker would effectively obtain full control over the Dashboard, enabling them to perform all administrative actions. Furthermore, this vulnerability can be exploited in conjunction with other weaknesses, potentially leading to code execution on the underlying host system, compromising the security of the entire setup.
Affected Version(s)
Axivion 7.8.5 <= 7.8.12
Axivion 7.9.0 < 7.9.13
Axivion 7.10.0 < 7.10.11
