CVE-2026-50744: CWE-284 Improper Access Control - Generic in Revive Adserver
CVE-2026-50744 is a medium severity vulnerability in Revive Adserver 6.0.7 involving improper access control in the XML-RPC API. The vulnerability allows bypassing the admin-only restriction because the ox.login method returns a session ID cookie in HTTP headers that is not invalidated after an error. This leaked session ID can be used to perform subsequent API calls without restrictions.
AI Analysis
Technical Summary
This vulnerability in Revive Adserver 6.0.7 concerns improper access control (CWE-284) in the XML-RPC API. Specifically, the ox.login method returns a session ID cookie in HTTP headers even when it returns an error, but the session is not invalidated. This allows an attacker to reuse the leaked session ID to make further API calls that should be restricted to administrators, effectively bypassing the admin-only restriction.
Potential Impact
An attacker with at least limited privileges can obtain a session ID from a failed ox.login API call and reuse it to perform subsequent API calls without proper authorization. This could lead to unauthorized access to administrative API functions. The CVSS score of 4.3 reflects a medium impact with low confidentiality impact, no integrity or availability impact, and no user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary mitigation is currently documented. Until a fix is available, restrict access to the XML-RPC API to trusted users and networks where possible.
CVE-2026-50744: CWE-284 Improper Access Control - Generic in Revive Adserver
Description
CVE-2026-50744 is a medium severity vulnerability in Revive Adserver 6.0.7 involving improper access control in the XML-RPC API. The vulnerability allows bypassing the admin-only restriction because the ox.login method returns a session ID cookie in HTTP headers that is not invalidated after an error. This leaked session ID can be used to perform subsequent API calls without restrictions.
CVSS v3.0
Score 4.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Revive Adserver 6.0.7 concerns improper access control (CWE-284) in the XML-RPC API. Specifically, the ox.login method returns a session ID cookie in HTTP headers even when it returns an error, but the session is not invalidated. This allows an attacker to reuse the leaked session ID to make further API calls that should be restricted to administrators, effectively bypassing the admin-only restriction.
Potential Impact
An attacker with at least limited privileges can obtain a session ID from a failed ox.login API call and reuse it to perform subsequent API calls without proper authorization. This could lead to unauthorized access to administrative API functions. The CVSS score of 4.3 reflects a medium impact with low confidentiality impact, no integrity or availability impact, and no user interaction required.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or temporary mitigation is currently documented. Until a fix is available, restrict access to the XML-RPC API to trusted users and networks where possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- hackerone
- Date Reserved
- 2026-06-06T15:00:09.779Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a3dd6604853345fc1fa2e83
Added to database: 06/26/2026, 01:31:12 UTC
Last enriched: 06/26/2026, 01:46:13 UTC
Last updated: 06/26/2026, 01:46:13 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.