CVE-2026-34913 - Vulnerability Details

Description

A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser.

Published: 2026-06-23

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A missing access control check in Revive Adserver’s campaign‑trackers.php script allows a low‑privileged user on an instance running version 6.0.6 or earlier to link their trackers to campaigns owned by other managers. This manipulation creates inconsistent ownership relationships, potentially affecting reporting and business logic. The flaw is an unauthorized access weakness, identified as CWE‑284.

Affected Systems

This flaw affects Revive Adserver 6.0.6 and all earlier releases. Users running these versions are susceptible unless the issue is patched or the affected functionality is disabled.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. While the EPSS score is not available, the lack of a CISA KEV listing suggests no publicly known exploits yet. An attacker only needs authenticated access to the web interface and can exploit the vulnerability by accessing campaign‑trackers.php with appropriate parameters. The attack vector is inferred to be from the web application, originating from any user who can reach the script, rather than requiring privileged OS access.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Revive

Adserver

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.0.6

No data.

Vendor Product Confidence Versions

Revive

Adserver

100%

Version	Status	Scheme	Platform
`[0,6.0.6]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the most recent Revive Adserver release that includes ownership validation for campaign‑tracker linking.
Configure role‑based access controls so that only users with manager or higher privileges can execute functionality.
Regularly audit and monitor web logs for unexpected tracker‑campaign linking activity to detect potential misuse.

Generated by OpenCVE AI on June 24, 2026 at 00:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://hackerone.com/reports/3650582

History

Wed, 24 Jun 2026 01:00:00 +0000

Type	Values Removed	Values Added
Title		Low‑privileged User Can Link Trackers to Other Managers' Campaigns

Tue, 23 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title	Missing Access Control in Tracker‑Campaign Linking Allows Unauthorized Ownership Manipulation

Tue, 23 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Revive Revive adserver
Vendors & Products		Revive Revive adserver

Tue, 23 Jun 2026 19:15:00 +0000

Type	Values Removed	Values Added
Title		Missing Access Control in Tracker‑Campaign Linking Allows Unauthorized Ownership Manipulation

Tue, 23 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser.
Weaknesses		CWE-284
References		https://hackerone.com/reports/3650582
Metrics		cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Revive Adserver

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-06-23T16:14:38.661Z

Updated: 2026-06-23T17:23:05.997Z

Reserved: 2026-03-31T15:00:06.522Z

Link: CVE-2026-34913

Vulnrichment

Updated: 2026-06-23T17:23:03.209Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T00:45:05Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object