CVE-2026-12593 (GCVE-0-2026-12593)

Vulnerability from cvelistv5 – Published: 2026-07-09 12:29 – Updated: 2026-07-09 14:20
VLAI
Title
Privilege escalation via forged API token creation in Axivion Dashboard OIDC/OAuth2/SSO subsystem
Summary
The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user (with more privileges than the attacker), the attacker knowing its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker would then have had to forge a token creation API request on behalf of the other user and could have authenticated and finalized the token creation with their own OAuth/OIDC credentials. In the worst case, this would mean an attacker could have become Dashboard Administrator and been able to perform all administrative actions if the preexisting internal user had administrative privileges. In combination with a separate weakness, this could have further led to code execution on the host system running the Dashboard with the privileges of the OS-User running the Dashboard server.
SSVC
Exploitation: none Automatable: no Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
Impacted products
Vendor Product Version
Qt Axivion Affected: 7.8.5 , ≤ 7.8.12 (custom)
Affected: 7.9.0 , < 7.9.13 (custom)
Affected: 7.10.0 , < 7.10.11 (custom)
Affected: 7.11.0 , < 7.11.7 (custom)
Affected: 7.12.0 , < 7.12.2 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12593",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-07-09T14:20:08.451329Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-07-09T14:20:19.757Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "modules": [
            "Dashboard OIDC/OAuth2/SSO subsystem"
          ],
          "product": "Axivion",
          "vendor": "Qt",
          "versions": [
            {
              "lessThanOrEqual": "7.8.12",
              "status": "affected",
              "version": "7.8.5",
              "versionType": "custom"
            },
            {
              "lessThan": "7.9.13",
              "status": "affected",
              "version": "7.9.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.10.11",
              "status": "affected",
              "version": "7.10.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.11.7",
              "status": "affected",
              "version": "7.11.0",
              "versionType": "custom"
            },
            {
              "lessThan": "7.12.2",
              "status": "affected",
              "version": "7.12.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "7.8.12",
                  "versionStartIncluding": "7.8.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.9.13",
                  "versionStartIncluding": "7.9.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.10.11",
                  "versionStartIncluding": "7.10.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.11.7",
                  "versionStartIncluding": "7.11.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "7.12.2",
                  "versionStartIncluding": "7.12.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cdiv\u003e\u003cp\u003eThe implementation of an internal\u0026nbsp;and\u0026nbsp;undocumented\u0026nbsp;Dashboard\u0026nbsp;API endpoint\u0026nbsp;(POST /api/users/~/{user}/tokens)\u0026nbsp;forgot\u0026nbsp;to ensure an HTTP\u0026nbsp;request for creating an\u0026nbsp;API\u0026nbsp;Token for another\u0026nbsp;user had sufficient permission to do so.\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003ePrecondition for successful exploitation was a preexisting internal user (with more privileges than the attacker),\u0026nbsp;the attacker knowing\u0026nbsp;its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker\u0026nbsp;would then have\u0026nbsp;had\u0026nbsp;to forge a token creation\u0026nbsp;API\u0026nbsp;request\u0026nbsp;on behalf of the\u0026nbsp;other user and could have authenticated\u0026nbsp;and\u0026nbsp;finalized\u0026nbsp;the token creation\u0026nbsp;with their own\u0026nbsp;OAuth/OIDC\u0026nbsp;credentials. In the worst case, this would mean an attacker could\u0026nbsp;have\u0026nbsp;become Dashboard Administrator\u0026nbsp;and\u0026nbsp;been\u0026nbsp;able to\u0026nbsp;perform\u0026nbsp;all\u0026nbsp;administrative actions\u0026nbsp;if the preexisting internal user had administrative\u0026nbsp;privileges.\u0026nbsp;In combination with a separate weakness,\u0026nbsp;this could have\u0026nbsp;further\u0026nbsp;led\u0026nbsp;to code execution on the\u0026nbsp;host\u0026nbsp;system running the Dashboard with the privileges of the OS-User running the Dashboard\u0026nbsp;server.\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "The implementation of an internal\u00a0and\u00a0undocumented\u00a0Dashboard\u00a0API endpoint\u00a0(POST /api/users/~/{user}/tokens)\u00a0forgot\u00a0to ensure an HTTP\u00a0request for creating an\u00a0API\u00a0Token for another\u00a0user had sufficient permission to do so.\n\n\n\n\n\nPrecondition for successful exploitation was a preexisting internal user (with more privileges than the attacker),\u00a0the attacker knowing\u00a0its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker\u00a0would then have\u00a0had\u00a0to forge a token creation\u00a0API\u00a0request\u00a0on behalf of the\u00a0other user and could have authenticated\u00a0and\u00a0finalized\u00a0the token creation\u00a0with their own\u00a0OAuth/OIDC\u00a0credentials. In the worst case, this would mean an attacker could\u00a0have\u00a0become Dashboard Administrator\u00a0and\u00a0been\u00a0able to\u00a0perform\u00a0all\u00a0administrative actions\u00a0if the preexisting internal user had administrative\u00a0privileges.\u00a0In combination with a separate weakness,\u00a0this could have\u00a0further\u00a0led\u00a0to code execution on the\u00a0host\u00a0system running the Dashboard with the privileges of the OS-User running the Dashboard\u00a0server."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "Authenticated Remote Privilege escalation. Any OIDC/OAuth authenticated user can become a Dashboard Administrator. By exploiting another weakness this can also lead to arbitrary code execution on the host-system running the Dashboard in the context of the OS-User used to run the Dashboard."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.7,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-09T12:29:47.260Z",
        "orgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
        "shortName": "TQtC"
      },
      "references": [
        {
          "name": "Qt Group Internal Vulnerability Ticket",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://wiki.qt.io/List_of_known_vulnerabilities_in_Qt_products#CVE-2026-12593"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eUpdate to one of the fixed releases: 7.9.13, 7.10.11, 7.11.7, or 7.12.2. There is no fixed release on the 7.8.x branch; deployments running 7.8.5-7.8.12 must migrate to one of the fixed releases.\u003c/p\u003e"
            }
          ],
          "value": "Update to one of the fixed releases: 7.9.13, 7.10.11, 7.11.7, or 7.12.2. There is no fixed release on the 7.8.x branch; deployments running 7.8.5-7.8.12 must migrate to one of the fixed releases."
        }
      ],
      "source": {
        "defectId": "BAUHAUS-30026",
        "discovery": "INTERNAL"
      },
      "title": "Privilege escalation via forged API token creation in Axivion Dashboard OIDC/OAuth2/SSO subsystem",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDisable the OIDC/OAuth2/SSO authentication feature or shut down the Dashboard server.\u003c/p\u003e"
            }
          ],
          "value": "Disable the OIDC/OAuth2/SSO authentication feature or shut down the Dashboard server."
        }
      ],
      "x_generator": {
        "engine": "Claude AI (Opus 4.8) - draft only, requires human validation before submission"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a59d8014-47c4-4630-ab43-e1b13cbe58e3",
    "assignerShortName": "TQtC",
    "cveId": "CVE-2026-12593",
    "datePublished": "2026-07-09T12:29:47.260Z",
    "dateReserved": "2026-06-18T09:26:17.599Z",
    "dateUpdated": "2026-07-09T14:20:19.757Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-12593",
      "date": "2026-07-11",
      "epss": "0.00281",
      "percentile": "0.1998"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-12593\",\"sourceIdentifier\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"published\":\"2026-07-09T14:16:26.713\",\"lastModified\":\"2026-07-10T17:56:00.910\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The implementation of an internal\u00a0and\u00a0undocumented\u00a0Dashboard\u00a0API endpoint\u00a0(POST /api/users/~/{user}/tokens)\u00a0forgot\u00a0to ensure an HTTP\u00a0request for creating an\u00a0API\u00a0Token for another\u00a0user had sufficient permission to do so.\\n\\n\\n\\n\\n\\nPrecondition for successful exploitation was a preexisting internal user (with more privileges than the attacker),\u00a0the attacker knowing\u00a0its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker\u00a0would then have\u00a0had\u00a0to forge a token creation\u00a0API\u00a0request\u00a0on behalf of the\u00a0other user and could have authenticated\u00a0and\u00a0finalized\u00a0the token creation\u00a0with their own\u00a0OAuth/OIDC\u00a0credentials. In the worst case, this would mean an attacker could\u00a0have\u00a0become Dashboard Administrator\u00a0and\u00a0been\u00a0able to\u00a0perform\u00a0all\u00a0administrative actions\u00a0if the preexisting internal user had administrative\u00a0privileges.\u00a0In combination with a separate weakness,\u00a0this could have\u00a0further\u00a0led\u00a0to code execution on the\u00a0host\u00a0system running the Dashboard with the privileges of the OS-User running the Dashboard\u00a0server.\"}],\"affected\":[{\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"affectedData\":[{\"vendor\":\"Qt\",\"product\":\"Axivion\",\"defaultStatus\":\"unaffected\",\"modules\":[\"Dashboard OIDC/OAuth2/SSO subsystem\"],\"versions\":[{\"version\":\"7.8.5\",\"lessThanOrEqual\":\"7.8.12\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"7.9.0\",\"lessThan\":\"7.9.13\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"7.10.0\",\"lessThan\":\"7.10.11\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"7.11.0\",\"lessThan\":\"7.11.7\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"7.12.0\",\"lessThan\":\"7.12.2\",\"versionType\":\"custom\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"LOW\",\"subIntegrityImpact\":\"LOW\",\"subAvailabilityImpact\":\"LOW\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-09T14:20:08.451329Z\",\"id\":\"CVE-2026-12593\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-862\"}]}],\"references\":[{\"url\":\"https://wiki.qt.io/List_of_known_vulnerabilities_in_Qt_products#CVE-2026-12593\",\"source\":\"a59d8014-47c4-4630-ab43-e1b13cbe58e3\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-12593\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-09T14:20:08.451329Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-09T14:20:15.130Z\"}}], \"cna\": {\"title\": \"Privilege escalation via forged API token creation in Axivion Dashboard OIDC/OAuth2/SSO subsystem\", \"source\": {\"defectId\": \"BAUHAUS-30026\", \"discovery\": \"INTERNAL\"}, \"impacts\": [{\"descriptions\": [{\"lang\": \"en\", \"value\": \"Authenticated Remote Privilege escalation. Any OIDC/OAuth authenticated user can become a Dashboard Administrator. By exploiting another weakness this can also lead to arbitrary code execution on the host-system running the Dashboard in the context of the OS-User used to run the Dashboard.\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"LOW\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"LOW\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"LOW\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Qt\", \"modules\": [\"Dashboard OIDC/OAuth2/SSO subsystem\"], \"product\": \"Axivion\", \"versions\": [{\"status\": \"affected\", \"version\": \"7.8.5\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"7.8.12\"}, {\"status\": \"affected\", \"version\": \"7.9.0\", \"lessThan\": \"7.9.13\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.10.0\", \"lessThan\": \"7.10.11\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.11.0\", \"lessThan\": \"7.11.7\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.12.0\", \"lessThan\": \"7.12.2\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"Update to one of the fixed releases: 7.9.13, 7.10.11, 7.11.7, or 7.12.2. There is no fixed release on the 7.8.x branch; deployments running 7.8.5-7.8.12 must migrate to one of the fixed releases.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eUpdate to one of the fixed releases: 7.9.13, 7.10.11, 7.11.7, or 7.12.2. There is no fixed release on the 7.8.x branch; deployments running 7.8.5-7.8.12 must migrate to one of the fixed releases.\u003c/p\u003e\", \"base64\": false}]}], \"references\": [{\"url\": \"https://wiki.qt.io/List_of_known_vulnerabilities_in_Qt_products#CVE-2026-12593\", \"name\": \"Qt Group Internal Vulnerability Ticket\", \"tags\": [\"issue-tracking\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Disable the OIDC/OAuth2/SSO authentication feature or shut down the Dashboard server.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eDisable the OIDC/OAuth2/SSO authentication feature or shut down the Dashboard server.\u003c/p\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Claude AI (Opus 4.8) - draft only, requires human validation before submission\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The implementation of an internal\\u00a0and\\u00a0undocumented\\u00a0Dashboard\\u00a0API endpoint\\u00a0(POST /api/users/~/{user}/tokens)\\u00a0forgot\\u00a0to ensure an HTTP\\u00a0request for creating an\\u00a0API\\u00a0Token for another\\u00a0user had sufficient permission to do so.\\n\\n\\n\\n\\n\\nPrecondition for successful exploitation was a preexisting internal user (with more privileges than the attacker),\\u00a0the attacker knowing\\u00a0its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker\\u00a0would then have\\u00a0had\\u00a0to forge a token creation\\u00a0API\\u00a0request\\u00a0on behalf of the\\u00a0other user and could have authenticated\\u00a0and\\u00a0finalized\\u00a0the token creation\\u00a0with their own\\u00a0OAuth/OIDC\\u00a0credentials. In the worst case, this would mean an attacker could\\u00a0have\\u00a0become Dashboard Administrator\\u00a0and\\u00a0been\\u00a0able to\\u00a0perform\\u00a0all\\u00a0administrative actions\\u00a0if the preexisting internal user had administrative\\u00a0privileges.\\u00a0In combination with a separate weakness,\\u00a0this could have\\u00a0further\\u00a0led\\u00a0to code execution on the\\u00a0host\\u00a0system running the Dashboard with the privileges of the OS-User running the Dashboard\\u00a0server.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cdiv\u003e\u003cp\u003eThe implementation of an internal\u0026nbsp;and\u0026nbsp;undocumented\u0026nbsp;Dashboard\u0026nbsp;API endpoint\u0026nbsp;(POST /api/users/~/{user}/tokens)\u0026nbsp;forgot\u0026nbsp;to ensure an HTTP\u0026nbsp;request for creating an\u0026nbsp;API\u0026nbsp;Token for another\u0026nbsp;user had sufficient permission to do so.\u003c/p\u003e\u003c/div\u003e\u003cdiv\u003e\u003cp\u003ePrecondition for successful exploitation was a preexisting internal user (with more privileges than the attacker),\u0026nbsp;the attacker knowing\u0026nbsp;its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker\u0026nbsp;would then have\u0026nbsp;had\u0026nbsp;to forge a token creation\u0026nbsp;API\u0026nbsp;request\u0026nbsp;on behalf of the\u0026nbsp;other user and could have authenticated\u0026nbsp;and\u0026nbsp;finalized\u0026nbsp;the token creation\u0026nbsp;with their own\u0026nbsp;OAuth/OIDC\u0026nbsp;credentials. In the worst case, this would mean an attacker could\u0026nbsp;have\u0026nbsp;become Dashboard Administrator\u0026nbsp;and\u0026nbsp;been\u0026nbsp;able to\u0026nbsp;perform\u0026nbsp;all\u0026nbsp;administrative actions\u0026nbsp;if the preexisting internal user had administrative\u0026nbsp;privileges.\u0026nbsp;In combination with a separate weakness,\u0026nbsp;this could have\u0026nbsp;further\u0026nbsp;led\u0026nbsp;to code execution on the\u0026nbsp;host\u0026nbsp;system running the Dashboard with the privileges of the OS-User running the Dashboard\u0026nbsp;server.\u003c/p\u003e\u003c/div\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-862\", \"description\": \"CWE-862 Missing Authorization\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"7.8.12\", \"versionStartIncluding\": \"7.8.5\"}, {\"criteria\": \"cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.9.13\", \"versionStartIncluding\": \"7.9.0\"}, {\"criteria\": \"cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.10.11\", \"versionStartIncluding\": \"7.10.0\"}, {\"criteria\": \"cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.11.7\", \"versionStartIncluding\": \"7.11.0\"}, {\"criteria\": \"cpe:2.3:a:qt:axivion:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"7.12.2\", \"versionStartIncluding\": \"7.12.0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"a59d8014-47c4-4630-ab43-e1b13cbe58e3\", \"shortName\": \"TQtC\", \"dateUpdated\": \"2026-07-09T12:29:47.260Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-12593\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-09T14:20:19.757Z\", \"dateReserved\": \"2026-06-18T09:26:17.599Z\", \"assignerOrgId\": \"a59d8014-47c4-4630-ab43-e1b13cbe58e3\", \"datePublished\": \"2026-07-09T12:29:47.260Z\", \"assignerShortName\": \"TQtC\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…