CVE-2026-44958
Deferred Deferred - Pending Action
Access Control Bypass in Revive Adserver

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: HackerOne

Description
An access control bypass allows an advertiser‑level user to activate or deactivate a banner in Revive Adserver 6.0.6 and earlier, even when such permissions were not granted. The banner-edit.php script allowed the banner status to be overwritten solely based on banner edit permissions. The status field has been removed from the hidden form fields in the banner edit screen.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-44958
EUVD
EUVD-2026-38505
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
revive_adserver revive_adserver to 6.0.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an access control bypass in Revive Adserver version 6.0.6 and earlier. It allows a user with advertiser-level permissions to activate or deactivate a banner even if they do not have explicit permission to change the banner's status. The issue arises because the banner-edit.php script allowed the banner status to be changed based solely on banner edit permissions, rather than specific status change permissions.

To mitigate this, the status field was removed from the hidden form fields in the banner edit screen.

Impact Analysis

This vulnerability can impact you by allowing users with limited permissions (advertiser-level) to change the activation status of banners without proper authorization. This could lead to unauthorized activation or deactivation of advertising banners, potentially disrupting advertising campaigns, causing loss of revenue, or affecting the visibility of ads.

Mitigation Strategies

To mitigate this vulnerability, ensure that you upgrade Revive Adserver to a version later than 6.0.6 where the issue has been addressed by removing the status field from hidden form fields in the banner edit screen.

Additionally, review and restrict advertiser-level user permissions to prevent unauthorized activation or deactivation of banners.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44958. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart