CVE-2026-44957
Summary
| CVE | CVE-2026-44957 |
|---|---|
| State | PUBLISHED |
| Assigner | hackerone |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-23 17:16:59 UTC |
| Updated | 2026-06-23 18:17:51 UTC |
| Description | A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users. Access control checks have been added to validate access to parent entities in the API modify methods. |
Risk And Classification
Primary CVSS: v3.0 4.3 MEDIUM from [email protected]
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Problem Types: CWE-284 | CWE-284 CWE-284 Improper Access Control - Generic
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.0 | [email protected] | Secondary | 4.3 | MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| 3.0 | CNA | DECLARED | 4.3 | MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
CVSS v3.0 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
LowAvailability
NoneCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| hackerone.com/reports/3677576 | [email protected] | hackerone.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: barcrange (3l4) (en)
There are currently no legacy QID mappings associated with this CVE.