CVE-2026-0802 Overview
CVE-2026-0802 affects Axis network devices that support ACAP (AXIS Camera Application Platform) applications. An ACAP configuration file lacks sufficient input validation, allowing command injection that can lead to privilege escalation on the device. Exploitation requires two preconditions: the device must permit installation of unsigned ACAP applications, and an attacker must persuade the victim to install a malicious ACAP package. The weakness is classified as [CWE-1287] Improper Validation of Specified Type of Input. Axis published a security advisory on May 12, 2026 documenting the issue and remediation guidance.
Critical Impact
A malicious ACAP application can inject commands through an unvalidated configuration file and escalate privileges on the affected Axis device.
Affected Products
- Axis network devices supporting ACAP applications (see vendor advisory for specific firmware versions)
- Devices configured to allow installation of unsigned ACAP applications
- Refer to the Axis Security Advisory CVE-2026-0802 for the complete model and firmware list
Discovery Timeline
- 2026-05-12 - CVE-2026-0802 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-0802
Vulnerability Analysis
The vulnerability resides in how an ACAP configuration file is parsed and consumed on Axis devices. The configuration file is processed without adequate validation of input fields, allowing an attacker to embed shell metacharacters or command sequences. When the device processes the configuration values, the injected content is executed in the context of a higher-privileged process. This combination of weak input validation and unsafe command execution maps directly to [CWE-1287].
Because the attack vector is local and requires high privileges to install applications, the threat model centers on a device operator who has been socially engineered into deploying a malicious ACAP package. Successful exploitation yields elevated privileges on the device, compromising confidentiality and integrity of video feeds, credentials, and system configuration.
Root Cause
The ACAP configuration parser trusts attacker-influenced strings and passes them to a command interpreter without sanitization or argument separation. Missing allowlist validation on configuration keys and values permits injection of arbitrary commands during configuration load or apply operations.
Attack Vector
An attacker first crafts a malicious ACAP application containing a weaponized configuration file. The attacker then convinces a device administrator to enable unsigned ACAP installation and deploy the package. During configuration processing, the injected commands execute with elevated privileges, granting the attacker control over the device. Exploitation is not possible on devices that retain the default policy of accepting only signed ACAP applications.
No public proof-of-concept code is available. Technical specifics are limited to those described in the Axis Security Advisory CVE-2026-0802.
Detection Methods for CVE-2026-0802
Indicators of Compromise
- Presence of unsigned or unexpected ACAP applications on Axis devices
- ACAP configuration files containing shell metacharacters such as ;, |, `, $(, or newline-separated commands
- Unexplained child processes spawned by the ACAP runtime or device management daemon
- Outbound network connections from the device to unknown hosts following an ACAP installation event
Detection Strategies
- Inventory all installed ACAP applications and verify each is signed and sourced from a trusted publisher
- Audit device settings to confirm whether unsigned ACAP installation is enabled, and treat any device with this setting as higher risk
- Compare deployed ACAP package hashes against a known-good baseline maintained by the security team
- Review device system logs for configuration apply events that precede anomalous process activity
Monitoring Recommendations
- Forward Axis device syslog to a centralized logging platform and alert on ACAP install, uninstall, and configuration change events
- Monitor administrative access to the Axis web interface and VAPI endpoints used for ACAP management
- Track network egress from camera VLANs to identify post-exploitation command-and-control activity
How to Mitigate CVE-2026-0802
Immediate Actions Required
- Disable installation of unsigned ACAP applications on all Axis devices through the device configuration
- Remove any ACAP applications that are not required for business operations or whose provenance is unverified
- Restrict administrative access to Axis devices using network segmentation and strong authentication
- Apply the firmware update referenced in the Axis advisory once available for the affected device model
Patch Information
Axis has published remediation guidance in the Axis Security Advisory CVE-2026-0802. Administrators should consult the advisory for the patched firmware version applicable to their device model and apply the update through the standard Axis firmware upgrade process.
Workarounds
- Enforce the default Axis policy that permits only signed ACAP applications from trusted publishers
- Place Axis devices on an isolated management VLAN that blocks inbound access from general user networks
- Require multi-person approval for any ACAP installation in production environments
# Configuration example: verify and disable unsigned ACAP installation via VAPI
# Query current allow-unsigned setting
curl -u admin:PASSWORD --digest \
"https://CAMERA_IP/axis-cgi/param.cgi?action=list&group=Network.ACAP.AllowUnsigned"
# Disable unsigned ACAP installation
curl -u admin:PASSWORD --digest \
"https://CAMERA_IP/axis-cgi/param.cgi?action=update&Network.ACAP.AllowUnsigned=no"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
