Description
A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users. Access control checks have been added to validate access to parent entities in the API modify methods.
Published: 2026-06-23
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing access control check in the XML‑RPC modify methods of Revive Adserver 6.0.6 and earlier allows an authenticated user to change the parent entity of other objects, leading to inconsistent ownership relationships. The flaw permits unauthorized resource manipulation and is classified as CWE‑284.

Affected Systems

Revive Adserver versions 6.0.6 and earlier are impacted. Exploitation requires the XML‑RPC modify methods and the presence of CVE‑2026‑34917 or third‑party API extensions that expose these methods to low‑privileged users.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. The likely attack vector is through XML‑RPC API calls, which are typically served over HTTP; the API may be publicly exposed, but this is inferred rather than confirmed in the official description. Successful exploitation demands both the access‑control bypass and either CVE‑2026‑34917 or vulnerability in an extension, thereby limiting the attack surface.

Generated by OpenCVE AI on June 24, 2026 at 11:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Revive Adserver to version 6.0.7 or later, where parent modification access controls are enforced.
  • If an upgrade is not immediately possible, restrict the XML‑RPC API to trusted administrators or block external network traffic to the XML‑RPC port.
  • Review any installed extensions and disable or patch those that expose parent modification methods to low‑privileged users, ensuring they implement proper authentication checks.

Generated by OpenCVE AI on June 24, 2026 at 11:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
History

Wed, 24 Jun 2026 12:15:00 +0000

Type Values Removed Values Added
Title XML‑RPC Parent Reassignment Without Access Control in Revive Adserver

Wed, 24 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title XML‑RPC Parent Reassignment Without Access Control in Revive Adserver

Wed, 24 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title XML‑RPC API Missing Access Control Enables Unauthorized Parent Reassignment in Revive Adserver

Wed, 24 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Title XML‑RPC API Missing Access Control Enables Unauthorized Parent Reassignment in Revive Adserver

Tue, 23 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Missing Access Control in XML‑RPC API Allows Unauthorized Parent Reassignment

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Title Missing Access Control in XML‑RPC API Allows Unauthorized Parent Reassignment

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users. Access control checks have been added to validate access to parent entities in the API modify methods.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-23T17:40:39.611Z

Reserved: 2026-05-08T15:00:02.447Z

Link: CVE-2026-44957

cve-icon Vulnrichment

Updated: 2026-06-23T17:40:36.229Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:00:05Z

Weaknesses