Unauthorized Token Creation in Dashboard API for Qt Products
CVE-2026-12593

8.7HIGH

Key Information:

Vendor

Qt

Status
Vendor
CVE Published:
9 July 2026

What is CVE-2026-12593?

This vulnerability arises from an undocumented internal Dashboard API endpoint that fails to verify sufficient user permissions for creating API tokens on behalf of another user. By exploiting this weakness, a malicious actor with knowledge of a more privileged user's login credentials could forge a token creation request. If successful, the attacker could authenticate as that user, potentially gaining administrative access to the Dashboard. In scenarios where the target user holds administrative privileges, the attacker would effectively obtain full control over the Dashboard, enabling them to perform all administrative actions. Furthermore, this vulnerability can be exploited in conjunction with other weaknesses, potentially leading to code execution on the underlying host system, compromising the security of the entire setup.

Affected Version(s)

Axivion 7.8.5 <= 7.8.12

Axivion 7.9.0 < 7.9.13

Axivion 7.10.0 < 7.10.11

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.