highCVE-2026-12593

Qt Axivion Dashboard API Token Creation Authorization Bypass Vulnerability

The implementation of an internal and undocumented Dashboard API endpoint (POST /api/users/~/{user}/tokens) forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user (with more privileges than the attacker), the attacker knowing its login name and the attacker being able to authenticate to the Dashboard via OAuth/OIDC. The attacker would then have had to forge a token creation API request on behalf of the other user and could have authenticated and finalized the token creation with their own OAuth/OIDC credentials. In the worst case, this would mean an attacker could have become Dashboard Administrator and been able to perform all administrative actions if the preexisting internal user had administrative privileges. In combination with a separate weakness, this could have further led to code execution on the host system running the Dashboard with the privileges of the OS-User running the Dashboard server.

ProductAxivion Dashboard
CVSS8.7
EPSSNot scored yet
UpdatedJuly 10, 2026

Quick answer

Qt Group Axivion Dashboard should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Qt Axivion Dashboard versions listed in Qt vulnerability guidance

Fixed versions

  • Apply the fixed Qt Axivion Dashboard release from vendor guidance

How to fix it

Qt Axivion Dashboard is affected by an authorization bypass in an internal API endpoint that can create API tokens for another user under specific OAuth or OIDC conditions. Apply the fixed Axivion Dashboard release from Qt guidance and review token creation activity. Prioritize deployments using SSO and internal users with administrative privileges.

  1. Inventory Qt Axivion Dashboard deployments and identify OAuth, OIDC, or SSO configurations.
  2. Apply the fixed Axivion Dashboard release listed in Qt vulnerability guidance for CVE-2026-12593.
  3. Restrict Dashboard administration and API endpoints to trusted networks and authorized users.
  4. Review API token creation logs, OAuth/OIDC login events, and administrator account activity.
  5. Revoke suspicious API tokens and rotate secrets for affected users if token creation abuse is found.
  6. Ensure token creation endpoints enforce permission checks for the target user, not only the authenticated requester.
  7. Review host integrity if related weaknesses could have enabled code execution on the Dashboard server.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm Axivion Dashboard is on a fixed release for CVE-2026-12593.
  • Validate a user cannot create API tokens for another user without proper permission.
  • Review Dashboard, OAuth, OIDC, and API logs for forged token creation attempts.
  • Test normal API token creation and SSO login workflows after the update.
  • Run a Fixnx scan and confirm no public Dashboard administration endpoint is exposed.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-12593?

Qt Group Axivion Dashboard versions listed as affected should be reviewed: Qt Axivion Dashboard versions listed in Qt vulnerability guidance.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.