Auth bypass in Qt Axivion

CVE-2026-12593

The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition f…

Vulnerability class: Broken Access Control

Affected products

Weakness classification (CWE)

References