2 matches found
CVE-2026-12593 Privilege escalation via forged API token creation in Axivion Dashboard OIDC/OAuth2/SSO subsystem
The implementation of an internal and undocumented Dashboard API endpoint POST /api/users//user/tokens forgot to ensure an HTTP request for creating an API Token for another user had sufficient permission to do so. Precondition for successful exploitation was a preexisting internal user with more...
CVE-2026-12593
The CVE concerns Axivion Dashboard’s OIDC/OAuth2/SSO subsystem. An internal, undocumented API endpoint (POST /api/users/~/{user}/tokens) did not enforce sufficient permissions when creating an API token for another user. Preconditions include an internal user with higher privileges, knowledge of ...