Auth bypass in Qt Axivion
CVE-2026-12593
The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition f…
Vulnerability class: Broken Access Control
Affected products
- Qt Axivion — versions 7.8.5, 7.9.0, 7.10.0
Weakness classification (CWE)
References
- a59d8014-47c4-4630-ab43-e1b13cbe58e3 (issue-tracking)