Description
A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that banners and campaigns can only be linked to zones managed by the same account.
Published: 2026-06-23
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing access control check in the zone-include.php script and its API. A low‑privileged user can link zones to banners or campaigns belonging to other managers on the same Revive Adserver instance, creating inconsistent ownership relationships. This can lead to confusion over content ownership and may allow unauthorized manipulation of advertising resources.

Affected Systems

The flaw affects Revive Adserver versions 6.0.6 and earlier. Any deployment using these releases is susceptible until the ownership validation has been added.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium impact, and the lack of an EPSS score or KEV listing suggests the risk is moderate. Exploitation requires an authenticated user with low privileges on the same instance, and the attacker must use the zone-include.php page or API to perform the linking. As the issue is constrained to internal users and does not provide code execution or privilege escalation, the overall threat remains limited but non‑negligible.

Generated by OpenCVE AI on June 23, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch (Revive Adserver version >6.0.6) to restore ownership validation
  • Revoke or reduce permissions for low‑privileged users to prevent zone inclusion actions
  • Monitor API calls and log entries for unauthorized linking operations

Generated by OpenCVE AI on June 23, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://hackerone.com/reports/3650504 cve-icon
History

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Tue, 23 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title Missing Access Control Allows Low‑Privileged User to Link Zones to Banners/Campaigns of Other Managers

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that banners and campaigns can only be linked to zones managed by the same account.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Revive Adserver
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-23T17:41:50.468Z

Reserved: 2026-03-31T15:00:06.522Z

Link: CVE-2026-34912

cve-icon Vulnrichment

Updated: 2026-06-23T17:41:47.603Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T20:15:04Z

Weaknesses