Skip to main content

Revive Adserver EUVDEUVD-2026-38502

| CVE-2026-44957 MEDIUM
Improper Access Control (CWE-284)
2026-06-23 hackerone GHSA-4c2p-w68w-9rgw
4.3
CVSS 3.0 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

AC:H reflects the mandatory chaining prerequisite (CVE-2026-34917 or non-default extension); PR:L matches required authenticated low-privileged API access; no confidentiality or availability impact applies.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 23, 2026 - 17:08 vuln.today

DescriptionCVE.org

A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users. Access control checks have been added to validate access to parent entities in the API modify methods.

AnalysisAI

Missing access control on XML-RPC API modify methods in Revive Adserver 6.0.6 and earlier permits authenticated low-privileged users to reassign entities to arbitrary parent entities, corrupting ownership relationships across campaigns, zones, or banners. This flaw is not independently exploitable - it requires chaining with CVE-2026-34917 or the presence of third-party API extensions that expose modify methods to low-privileged users, materially narrowing real-world risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged API credentials
Delivery
Exploit CVE-2026-34917 or leverage third-party extension
Exploit
Send crafted XML-RPC modify request
Execution
Bypass parent-entity access check
Persist
Reassign entities to unauthorized parent
Impact
Corrupt cross-tenant ownership in adserver

Vulnerability AssessmentAI

Exploitation Exploitation is conditional on one of two non-default prerequisites: (1) CVE-2026-34917 must also be present and unpatched in the same installation, providing the attacker a pathway to elevate or misuse API access, OR (2) a third-party API extension must be deployed that exposes Revive Adserver's XML-RPC modify methods to low-privileged users - not a default configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.0 score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) reflects network-accessible but authenticated exploitation with limited integrity-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding a low-privileged Revive Adserver account - obtained either legitimately or through CVE-2026-34917 - submits a crafted XML-RPC modify request targeting an entity reassignment method, specifying a parent entity (e.g., a campaign or advertiser) outside their permitted scope. The server, lacking the access check, processes the reassignment and persists the corrupted ownership relationship, potentially allowing the attacker to inject content or manipulate billing and reporting across tenant boundaries. …
Remediation Upgrade Revive Adserver to the release in which access control validation on parent entities has been added to the XML-RPC API modify methods, as confirmed by the vendor fix described in HackerOne report https://hackerone.com/reports/3677576. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2023-26756 HIGH POC
7.5 Apr 14

The login page of Revive Adserver v5.4.1 is vulnerable to brute force attacks. Rated high severity (CVSS 7.5), this vuln

CVE-2026-50741 HIGH
8.8 Jun 26

Remote code execution in Revive Adserver is reachable by authenticated low-privilege users who bypass the prior fix for

CVE-2026-44959 HIGH
8.8 Jun 23

Authenticated PHP code injection in Revive Adserver 6.0.6 and earlier allows a low-privileged user to smuggle an unexpec

CVE-2026-34914 HIGH
8.3 Jun 23

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows authenticated low-privileged users to inject arbitrary S

CVE-2026-50745 MEDIUM
6.1 Jun 26

Reflected cross-site scripting in Revive Adserver's stats-video.php script allows remote attackers to inject arbitrary J

CVE-2026-34915 MEDIUM
6.1 Jun 23

Blind SQL injection in Revive Adserver 6.0.6 and earlier allows a low-privileged authenticated user to exfiltrate databa

CVE-2026-50740 MEDIUM
5.4 Jun 26

Reflected XSS in Revive Adserver 6.0.7 and earlier allows a low-privileged user to inject unsanitized JavaScript via the

CVE-2026-50742 MEDIUM
5.4 Jun 26

Stored cross-site scripting in Revive Adserver 6.0.7 allows an authenticated low-privilege attacker to inject persistent

CVE-2026-44958 MEDIUM
5.4 Jun 23

Privilege escalation within Revive Adserver 6.0.6 and earlier allows authenticated advertiser-level users to activate or

CVE-2026-34917 MEDIUM
4.3 Jun 23

Session context confusion in Revive Adserver allows a low-privileged web admin console user to reuse their session ID ag

CVE-2026-50744 MEDIUM
4.3 Jun 26

Session fixation via failed authentication in Revive Adserver 6.0.7's XML-RPC API allows a low-privileged attacker to by

CVE-2026-50739 MEDIUM
4.3 Jun 26

Ownership validation bypass in Revive Adserver 6.0.7 and earlier allows a low-privileged authenticated user to link thei

Share

EUVD-2026-38502 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy