Access Control Bypass in Revive Adserver Affects User Permissions
CVE-2026-44958

5.4MEDIUM

Key Information:

Vendor: Revive
Status: Adserver
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-44958?

An access control bypass vulnerability in Revive Adserver enables an advertiser-level user to modify the status of banners, regardless of whether they possess the necessary permissions. This flaw arises from the improper handling of permissions within the banner-edit.php script, which allowed unauthorized manipulation of banner statuses. With the status field removed from hidden form inputs, an attacker could exploit this vulnerability to activate or deactivate banners, undermining security measures and impacting ad management integrity.

Affected Version(s)

Adserver 0 <= 6.0.6

References

https://hackerone.com/reports/3678828

CVSS V3.0

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
May 8, 2026

Credit

V3rtical

CVE-2026-44958 Data

JSON