A flaw in Revive Adserver was found that allowed low‑privileged session identifiers issued to the web admin console to be reused against the XML‑RPC API, which is normally restricted to administrators. This issue constituted a CWE‑287 authentication bypass vulnerability. However, the session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably. During exploitation, an attacker who had captured a non‑admin session ID could no longer authenticate to the XML‑RPC API, effectively blocking the original bypass mechanism. The primary consequence, if the flaw existed in earlier releases, would have been unauthorized access through the API.

Revive Adserver is the affected product. No specific affected releases are enumerated in the available information, so the vulnerability may exist in multiple, unspecified versions of the software.

With a CVSS score of 4.3 the vulnerability is considered moderate in severity. EPSS data is not available and the vulnerability is not listed in CISA KEV, indicating a low to uncertain exploitation probability. The session context recording now prevents the reuse of low‑privileged session IDs in the XML‑RPC API; therefore, exploitation is only possible against older versions that have not applied the fix. The attack vector, if applicable, would require the attacker to capture a low‑privileged session identifier and attempt reuse against the XML‑RPC endpoint, but current releases are not vulnerable.