Description
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably.
Published: 2026-06-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Revive Adserver previously allowed low‑privileged session identifiers issued for the web admin console to be reused against the XML‑RPC API, which is normally restricted to administrators. This enabled attackers with a captured session token to gain unauthorized API access and exploit privileged operations, a classic CWE‑287 authentication bypass. The latest release records the session context (web or API) alongside other session data, preventing such cross‑context reuse.

Affected Systems

Revive Adserver is the affected product. No version data is provided, so the flaw may exist in multiple earlier releases that have not yet applied the context separation fix.

Risk and Exploitability

The CVSS score of 4.3 classifies the vulnerability as moderate, and EPSS data is not available with the vulnerability not listed in the CISA KEV catalog, indicating low or uncertain exploitation probability. Older releases that do not enforce session context separation remain vulnerable; an attacker would need to capture a non‑admin session ID and attempt reuse against the XML‑RPC endpoint. Newer releases mitigate the vector by enforcing context checks, thereby limiting exploitation to unpatched systems.

Generated by OpenCVE AI on June 24, 2026 at 11:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Revive Adserver to the latest version that implements session‑context separation.
  • Configure network or application access controls so that only trusted administrators or the internal network can reach the XML‑RPC API endpoint.
  • Modify the API server logic to verify that the session has an “admin” flag before executing privileged actions.

Generated by OpenCVE AI on June 24, 2026 at 11:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title Session ID Reuse Allows Authentication Bypass in Revive Adserver XML‑RPC API

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title Session ID Reuse Allows Authentication Bypass in Revive Adserver XML‑RPC API

Wed, 24 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Session ID Reuse Vulnerability in Revive Adserver XML‑RPC API

Wed, 24 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Session ID Reuse Vulnerability in Revive Adserver XML‑RPC API

Tue, 23 Jun 2026 23:30:00 +0000

Type Values Removed Values Added
Title Revive Adserver Session ID Reuse Vulnerability Enables Unauthorized API Access

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Tue, 23 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
Title Revive Adserver Session ID Reuse Vulnerability Enables Unauthorized API Access

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably.
Weaknesses CWE-287
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-23T17:24:49.856Z

Reserved: 2026-03-31T15:00:06.522Z

Link: CVE-2026-34917

cve-icon Vulnrichment

Updated: 2026-06-23T17:24:43.648Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses