CVE-2026-34913
Deferred Deferred - Pending Action
Missing Access Control in Revive Adserver Tracker Linking

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: HackerOne

Description
A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-34913
EUVD
EUVD-2026-38510
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
revive_adserver revive_adserver to 6.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is due to a missing access control check in the campaign-trackers.php script of Revive Adserver version 6.0.6 and earlier. It allows a low-privileged user to link their trackers to campaigns that are owned by other managers within the same instance. This results in inconsistent ownership relationships between trackers and campaigns.

The issue has been addressed by adding ownership validation to ensure that campaigns can only be linked to trackers owned by the same advertiser.

Impact Analysis

This vulnerability can impact you by allowing low-privileged users to manipulate the linkage between trackers and campaigns that they do not own. This could lead to inconsistent ownership data, potentially causing confusion or mismanagement of advertising campaigns.

While it does not directly affect confidentiality or availability, it can impact the integrity of campaign ownership information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart