CVE-2026-0804: Axis ACAP Privilege Escalation Vulnerability

CVE-2026-0804 Overview

CVE-2026-0804 is a path traversal vulnerability [CWE-35] in an Axis Communications Application Platform (ACAP) configuration file. The flaw stems from insufficient input validation in how the configuration file is parsed. An attacker who convinces a victim to install a malicious ACAP application can traverse outside the intended directory and escalate privileges on the Axis device.

Exploitation requires two preconditions. The Axis device must be configured to allow installation of unsigned ACAP applications, and the victim must install the attacker-supplied package. The attack vector is local and requires high privileges, which limits exposure but does not eliminate risk in environments that relax signing controls.

Critical Impact

Successful exploitation enables privilege escalation on Axis network devices through a malicious ACAP application that abuses path traversal in a configuration file.

Affected Products

• Axis devices that support ACAP (Axis Camera Application Platform) applications
• Axis devices configured to allow installation of unsigned ACAP applications
• Refer to the Axis Security Advisory CVE-2026-0804 for the complete product and firmware list

Discovery Timeline

• 2026-05-12 - CVE-2026-0804 published to the National Vulnerability Database
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-0804

Vulnerability Analysis

The vulnerability resides in the parsing logic for an ACAP configuration file. The file accepts attacker-influenced values that are later used to construct file system paths. Because the parser does not validate or canonicalize these values, supplied strings containing directory traversal sequences are resolved relative to sensitive locations on the device.

ACAP applications run within a constrained context on Axis devices. By smuggling traversal sequences through the configuration file, a malicious application breaks that boundary and writes or accesses files outside its sandbox. The result is privilege escalation against a device that integrates into surveillance, access control, and physical security workflows.

Root Cause

The root cause is improper limitation of a pathname to a restricted directory, classified as [CWE-35] Path Traversal. The configuration parser trusts input fields without enforcing an allowlist of permitted paths, rejecting .. sequences, or canonicalizing the resolved path before use.

Attack Vector

Exploitation follows a local attack path with high privileges and no user interaction at exploit time. An operator must first place the device in a state that permits unsigned ACAP applications. The attacker then crafts a malicious ACAP package containing a configuration file with traversal payloads in path-related fields. When the victim installs the package, the device processes the configuration and acts on attacker-controlled paths, granting the application access to resources outside its intended scope. Technical specifics for the affected fields and exploitation primitives are documented in the Axis Security Advisory CVE-2026-0804.

Detection Methods for CVE-2026-0804

Indicators of Compromise

• Installation events for ACAP applications from unknown or unsigned publishers on Axis devices
• Configuration files inside ACAP packages containing ../ sequences or absolute paths referencing system directories
• Unexpected file writes or permission changes on Axis devices following an ACAP install
• Newly created processes, services, or accounts on Axis devices that correlate with recent ACAP application activity

Detection Strategies

• Inventory all Axis devices and flag any configured to allow unsigned ACAP installation
• Inspect ACAP .eap packages prior to deployment, parsing embedded configuration files for path traversal patterns
• Correlate device management API calls related to ACAP installation with subsequent privileged file system activity
• Compare device firmware and application listings against a known-good baseline to surface unauthorized installs

Monitoring Recommendations

• Forward Axis device system logs and ACAP application logs to a central log platform for retention and analysis
• Alert on changes to the device setting that controls acceptance of unsigned ACAP applications
• Monitor network segments hosting Axis devices for outbound connections originating from camera firmware to non-management infrastructure
• Review administrative authentication events on Axis devices for unexpected high-privilege sessions

How to Mitigate CVE-2026-0804

Immediate Actions Required

• Apply the fixed firmware identified in the Axis Security Advisory CVE-2026-0804 to all affected devices
• Disable installation of unsigned ACAP applications on every Axis device that does not require it
• Audit installed ACAP applications and remove any package whose origin cannot be verified
• Restrict administrative access to Axis device management interfaces to a small set of trusted operators

Patch Information

Axis Communications has published firmware updates that address CVE-2026-0804. Consult the Axis Security Advisory CVE-2026-0804 for the list of affected models and the specific firmware versions that contain the fix. Apply updates through the Axis Device Manager or the device web interface.

Workarounds

• Keep devices in their default state, which requires signed ACAP applications, until firmware can be updated
• Place Axis devices on a segmented management VLAN with no direct user access
• Enforce least privilege for accounts that can install ACAP applications on devices
• Block installation of third-party ACAP packages through device configuration policy until vetted

# Configuration example
# Verify the ACAP allow-unsigned setting via the Axis VAPI and disable it if enabled
curl -u "admin:${AXIS_ADMIN_PW}" --digest \
  "https://<device>/axis-cgi/param.cgi?action=update&root.Network.UPnP.AllowUnsignedACAP=no"

# Confirm the setting after change
curl -u "admin:${AXIS_ADMIN_PW}" --digest \
  "https://<device>/axis-cgi/param.cgi?action=list&group=root.Network.UPnP.AllowUnsignedACAP"