CVE-2026-0804 Axis Communications AB CVE debrief

Who should care

Axis network camera and device administrators, physical security teams, IoT security practitioners, and organizations deploying Axis surveillance infrastructure

Technical summary

CVE-2026-0804 is a path traversal vulnerability (CWE-35) in Axis OS affecting versions 12.0.0 through 12.10.3. The vulnerability exists in ACAP (Axis Camera Application Platform) configuration file handling, which lacks sufficient input validation. Exploitation requires the device to be configured to allow unsigned ACAP applications and requires an attacker to convince a victim to install a malicious ACAP application. Successful exploitation could lead to privilege escalation with local attack vector, low attack complexity, and high privileges required (CVSS 3.1: 6.7 MEDIUM). The vulnerability was patched in Axis OS 12.10.4.

Defensive priority

medium

Recommended defensive actions

• Upgrade Axis OS to version 12.10.4 or later
• Disable unsigned ACAP application installation in device configuration
• Restrict ACAP application installation to trusted administrators only
• Verify ACAP application signatures before installation
• Review installed ACAP applications for unauthorized or suspicious entries

Evidence notes

Vendor advisory confirms CWE-35 (Path Traversal) and CVSS 3.1 vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. Affected versions: Axis OS 12.0.0 through 12.10.3. Fixed in 12.10.4.

Official resources