CVE Catalog

CVE-2026-50744

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

7th percentile — higher than 7% of all known CVEs

Summary

A bypass to the admin-only restriction of the XML-RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated, allowing the leaked session ID to be used for subsequent unrestricted API calls.

Risk Assessment

An attacker can gain unauthorized access to administrative functions of the ad server, potentially leading to data theft, campaign manipulation, or full server compromise.

Recommendation

Immediately upgrade Revive Adserver to a version that fixes session invalidation after login failure and removes the session cookie leak in the API response.

Original NVD description (English source)

A bypass to the admin‑only restriction of the XML‑RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS