CVE-2026-44957_CVE-2026-44957

4.3 / 10

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Description

A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users. Access control checks have been added to validate access to parent entities in the API modify methods.

Basic Information

ID CVE-2026-44957

Source hackerone

Published Jun 23, 2026 at 16:14

Modified Jun 23, 2026 at 17:40

Affected Product

Vendor Revive

Product Adserver

Affected Versions Revive Adserver 0

CWE Classification

CWE-284

References

hackerone.com /reports/3677576

{
    "lastseen": "",
    "description": "A missing access control check when invoking various modify methods in the XML\u2011RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE\u20112026\u201134917 or with third\u2011party API extensions that expose API functionality to low\u2011privileged users. Access control checks have been added to validate access to parent entities in the API modify methods.",
    "published": "2026-06-23T16:14:38.100Z",
    "modified": "2026-06-23T17:40:39.611Z",
    "type": "cve",
    "title": "CVE-2026-44957",
    "source": "hackerone",
    "references": "https://hackerone.com/reports/3677576",
    "id": "CVE-2026-44957",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "Revive Adserver 0",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
        "version": "3.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Adserver",
    "version": "0",
    "vendor": "Revive",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}