Description
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Revive Adserver 6.0.7 allows an attacker to bypass the admin‑only restriction on its XML‑RPC API. The ox.login method returns a session ID cookie even when the login fails, and the session is not invalidated. An adversary can capture that cookie and then use it to make subsequent API calls without any administrative credentials, potentially altering ad configuration or harvesting data. The weakness is a form of insufficient access control (CWE‑284).

Affected Systems

The product affected is Revive Adserver 6.0.7, provided by Revive:Adserver. No other versions or additional vendors are listed.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity vulnerability. EPSS data is not available, and the issue is not listed in the CISA KEV catalog, suggesting a lower probability of widespread exploitation at present. Nevertheless, the attack can be performed remotely by sending a malformed ox.login request to the XML‑RPC endpoint, inferred from the description; the attacker then captures the returned session cookie and re‑uses it for privileged API calls. This makes the vulnerability a low‑to‑moderate risk, with the potential for serious impact if an attacker successfully gains unauthorized API access.

Generated by OpenCVE AI on June 26, 2026 at 03:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Revive Adserver to the latest version that corrects the session invalidation bug.
  • If an upgrade is not feasible, restrict the XML‑RPC endpoint to trusted IPs or apply network firewall rules to limit access to the API.
  • Continuously monitor API call logs for anomalous sessions and investigate any unauthorized activity immediately.

Generated by OpenCVE AI on June 26, 2026 at 03:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://hackerone.com/reports/3783738 cve-icon
History

Fri, 26 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
First Time appeared Revive
Revive adserver
Vendors & Products Revive
Revive adserver

Fri, 26 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Title Bypass Admin‑Only Restriction via Leaked XML‑RPC Session ID in Revive Adserver

Fri, 26 Jun 2026 01:30:00 +0000

Type Values Removed Values Added
Description A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.
Weaknesses CWE-284
References
Metrics cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Revive Adserver
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-26T12:29:47.196Z

Reserved: 2026-06-06T15:00:09.779Z

Link: CVE-2026-50744

cve-icon Vulnrichment

Updated: 2026-06-26T12:29:41.631Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T06:30:17Z

Weaknesses