CVE-2026-50744
Awaiting Analysis Awaiting Analysis - Queue
Admin Session Bypass in Revive Adserver via XML-RPC API

Publication date: 2026-06-26

Last updated on: 2026-06-26

Assigner: HackerOne

Description
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-26
Last Modified
2026-06-26
Generated
2026-06-27
AI Q&A
2026-06-26
EPSS Evaluated
2026-06-26
NVD
CVE-2026-50744
EUVD
EUVD-2026-39600
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
revive_adserver revive_adserver 6.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a bypass of the admin-only restriction in the XML-RPC API of Revive Adserver version 6.0.7. Specifically, when the ox.login method is called, the API response returns a session ID cookie in the HTTP headers. Although the method correctly returns an error, the session associated with that ID is not invalidated. This means that the leaked session ID can be reused to perform subsequent API calls without any restrictions.

Impact Analysis

The impact of this vulnerability is that an attacker who obtains the leaked session ID can bypass admin-only restrictions and perform API calls with elevated privileges. This could allow unauthorized access to administrative functions within the Revive Adserver, potentially leading to unauthorized actions or data exposure.

Compliance Impact

This vulnerability allows an attacker to bypass admin-only restrictions by using a leaked session ID to perform unrestricted API calls. Such unauthorized access to administrative functions could lead to exposure or manipulation of sensitive data.

Because the vulnerability involves session hijacking and unauthorized access, it may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access.

However, specific impacts on compliance depend on the data handled by the affected system and the controls in place. The CVE description does not explicitly mention compliance implications.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart