Impact
A missing access control check in the XML‑RPC modify methods of Revive Adserver 6.0.6 and earlier allows an authenticated user to change the parent entity of other objects, leading to inconsistent ownership relationships. The flaw permits unauthorized resource manipulation and is classified as CWE‑284.
Affected Systems
Revive Adserver versions 6.0.6 and earlier are impacted. Exploitation requires the XML‑RPC modify methods and the presence of CVE‑2026‑34917 or third‑party API extensions that expose these methods to low‑privileged users.
Risk and Exploitability
The CVSS score of 4.3 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting a lower likelihood of widespread exploitation. The likely attack vector is through XML‑RPC API calls, which are typically served over HTTP; the API may be publicly exposed, but this is inferred rather than confirmed in the official description. Successful exploitation demands both the access‑control bypass and either CVE‑2026‑34917 or vulnerability in an extension, thereby limiting the attack surface.
OpenCVE Enrichment