Description
A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: "The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal."
Published: 2026-05-03
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the postMessage function of premium.preload.js within Adblock Plus’s Legacy Premium Activation component. An attacker can manipulate this call to bypass the component’s access controls, resulting in a short‑lived (≈24‑hour) trial license that grants temporary Premium access. The exploit does not provide permanent unlocking of features, but it enables unauthorized use of Premium functionality for the trial period.

Affected Systems

Eyeo’s Adblock Plus extension for Chrome, versions up to 4.36.2, is affected. The issue is specific to the legacy Premium Activation flow, which has been deprecated in favor of a user‑account based licensing system.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity. With no EPSS rating reported and the vulnerability absent from CISA’s KEV catalog, the overall risk is moderate. An attacker can potentially trigger the flaw remotely by sending a crafted postMessage payload from a malicious page or script that interacts with the extension. While the resulting privileged access is temporary, it still compromises the integrity of the licensing model and could be abused in the short window before the trial expires.

Generated by OpenCVE AI on May 3, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Adblock Plus to the latest available version (4.36.3 or newer).
  • If an upgrade is not feasible, fully remove or disable the Legacy Premium Activation component or the entire extension to eliminate the vulnerable code path.
  • Configure Chrome’s content security policy or use a browser extension to block or monitor postMessage traffic targeting the premium.preload.js script and ensure only trusted origins can communicate with the extension.

Generated by OpenCVE AI on May 3, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 03 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: "The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal."
Title eyeo Adblock Plus Legacy Premium Activation premium.preload.js postMessage access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 5.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-03T07:30:12.937Z

Reserved: 2026-05-02T16:03:17.517Z

Link: CVE-2026-7686

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-03T08:16:01.073

Modified: 2026-05-03T08:16:01.073

Link: CVE-2026-7686

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-03T09:30:16Z

Weaknesses