CVE Catalog

CVE-2026-50739

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.17%

7th percentile — higher than 7% of all known CVEs

Summary

A bypass for CVE-2026-34913 exists in Revive Adserver 6.0.7 and earlier due to missing ownership validation in the reverse operation of linking campaigns and trackers via the `tracker-campaigns.php` script. A low-privileged user can link their trackers to campaigns owned by other managers on the same instance, causing inconsistent ownership relationships.

Risk Assessment

The risk involves data integrity and access control violations, as a low-privileged user can assign their trackers to other managers' campaigns, potentially manipulating reporting and attribution.

Recommendation

Immediately upgrade Revive Adserver to a version later than 6.0.7 that includes the ownership validation fix for the campaign-tracker linking operation.

Original NVD description (English source)

A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the `tracker-campaigns.php` script in Revive Adserver 6.0.7 and earlier. As a result, a low‑privileged user could link their trackers to campaigns owned by other managers on the same instance, leading to inconsistent ownership relationships.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS