CVE-2026-50744
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk7th percentile — higher than 7% of all known CVEs
Summary
A bypass to the admin-only restriction of the XML-RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated, allowing the leaked session ID to be used for subsequent unrestricted API calls.
Risk Assessment
An attacker can gain unauthorized access to administrative functions of the ad server, potentially leading to data theft, campaign manipulation, or full server compromise.
Recommendation
Immediately upgrade Revive Adserver to a version that fixes session invalidation after login failure and removes the session cookie leak in the API response.
Original NVD description (English source)
A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.

