CVE-2026-44957 - Vulnerability Details

Description

A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users. Access control checks have been added to validate access to parent entities in the API modify methods.

Published: 2026-06-23

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a missing access control check in the XML‑RPC API of Revive Adserver, which allows an authenticated entity to reassign any parent entity to another. This can lead to inconsistent ownership relationships and enable an attacker to elevate privileges or modify data that should be protected. The flaw is classified as CWE‑284 because it permits unauthorized resource manipulation.

Affected Systems

Revive Adserver versions 6.0.6 and earlier are affected. The issue is only exploitable when the XML‑RPC modify methods are invoked, and it requires the presence of CVE‑2026‑34917 or third‑party API extensions that expose these methods to low‑privileged users.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. However, the attack vector involves API calls over XML‑RPC, which may be publicly exposed in some deployments. Successful exploitation requires both the missing access control and either the related CVE‑2026‑34917 or a vulnerable extension, limiting the attack surface.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Revive

Adserver

unaffected

Version	Status	Constraints
`0`	affected	≤ 6.0.6

No data.

Vendor Product Confidence Versions

Revive

Adserver

100%

Version	Status	Scheme	Platform
`[0,6.0.6]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Revive Adserver version newer than 6.0.6 where access control checks validate parent entity modifications.
If upgrading is not immediately possible, restrict the XML‑RPC API to trusted administrators or block external access at the network level.
Identify and disable or update any third‑party extensions that expose the modify methods to low‑privileged users, ensuring they enforce proper access control.

Generated by OpenCVE AI on June 24, 2026 at 01:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://hackerone.com/reports/3677576

History

Wed, 24 Jun 2026 01:30:00 +0000

Type	Values Removed	Values Added
Title		XML‑RPC API Missing Access Control Enables Unauthorized Parent Reassignment in Revive Adserver

Tue, 23 Jun 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title	Missing Access Control in XML‑RPC API Allows Unauthorized Parent Reassignment

Tue, 23 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Revive Revive adserver
Vendors & Products		Revive Revive adserver

Tue, 23 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Title		Missing Access Control in XML‑RPC API Allows Unauthorized Parent Reassignment

Tue, 23 Jun 2026 18:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 23 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users. Access control checks have been added to validate access to parent entities in the API modify methods.
Weaknesses		CWE-284
References		https://hackerone.com/reports/3677576
Metrics		cvssV3_0 `{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Revive Adserver

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-06-23T16:14:38.100Z

Updated: 2026-06-23T17:40:39.611Z

Reserved: 2026-05-08T15:00:02.447Z

Link: CVE-2026-44957

Vulnrichment

Updated: 2026-06-23T17:40:36.229Z

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-24T01:15:05Z

Weaknesses

CWE-284
Improper Access Control

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object