CVE Catalog

CVE-2026-44957

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Summary

A missing access control check when invoking various modify methods in the XML-RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships.

Risk Assessment

The organization may be exposed to unauthorized modifications of ownership relationships, potentially leading to loss of data control. Exploitation of this vulnerability may be possible in conjunction with other vulnerabilities or API extensions.

Recommendation

It is recommended to upgrade to the latest version of Revive Adserver to benefit from the added access controls. Additionally, review any used API extensions for potential vulnerabilities.

Original NVD description (English source)

A missing access control check when invoking various modify methods in the XML‑RPC API of Revive Adserver 6.0.6 and earlier. The API allowed entities to be reassigned to different parent entities, leading to inconsistent ownership relationships. This issue was exploitable only in combination with CVE‑2026‑34917 or with third‑party API extensions that expose API functionality to low‑privileged users. Access control checks have been added to validate access to parent entities in the API modify methods.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS