GHSA-2F7G-H2W3-WGVX
Vulnerability from github – Published: 2026-07-09 15:32 – Updated: 2026-07-09 15:32The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so.
Precondition for successful exploitation was a preexisting internal user (with more privileges than the attacker), the attacker knowing its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker would then have had to forge a token creation API request on behalf of the other user and could have authenticated and finalized the token creation with their own OAuth/OIDC credentials. In the worst case, this would mean an attacker could have become Dashboard Administrator and been able to perform all administrative actions if the preexisting internal user had administrative privileges. In combination with a separate weakness, this could have further led to code execution on the host system running the Dashboard with the privileges of the OS-User running the Dashboard server.
{
"affected": [],
"aliases": [
"CVE-2026-12593"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-09T14:16:26Z",
"severity": "HIGH"
},
"details": "The implementation of an internal\u00a0and\u00a0undocumented\u00a0Dashboard\u00a0API endpoint\u00a0(POST /api/users/~/{user}/tokens)\u00a0forgot\u00a0to ensure an HTTP\u00a0request for creating an\u00a0API\u00a0Token for another\u00a0user had sufficient permission to do so.\n\n\n\n\n\nPrecondition for successful exploitation was a preexisting internal user (with more privileges than the attacker),\u00a0the attacker knowing\u00a0its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker\u00a0would then have\u00a0had\u00a0to forge a token creation\u00a0API\u00a0request\u00a0on behalf of the\u00a0other user and could have authenticated\u00a0and\u00a0finalized\u00a0the token creation\u00a0with their own\u00a0OAuth/OIDC\u00a0credentials. In the worst case, this would mean an attacker could\u00a0have\u00a0become Dashboard Administrator\u00a0and\u00a0been\u00a0able to\u00a0perform\u00a0all\u00a0administrative actions\u00a0if the preexisting internal user had administrative\u00a0privileges.\u00a0In combination with a separate weakness,\u00a0this could have\u00a0further\u00a0led\u00a0to code execution on the\u00a0host\u00a0system running the Dashboard with the privileges of the OS-User running the Dashboard\u00a0server.",
"id": "GHSA-2f7g-h2w3-wgvx",
"modified": "2026-07-09T15:32:32Z",
"published": "2026-07-09T15:32:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12593"
},
{
"type": "WEB",
"url": "https://wiki.qt.io/List_of_known_vulnerabilities_in_Qt_products#CVE-2026-12593"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.