{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-50744", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-06-06T15:00:09.779Z", "datePublished": "2026-06-26T01:11:14.060Z", "dateUpdated": "2026-06-26T01:11:14.060Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A bypass to the admin\u2011only restriction of the XML\u2011RPC API in Revive Adserver 6.0.7. The API response for the ox.login method returned a session ID cookie in the HTTP headers, and although the method correctly returned an error, the associated session was not invalidated. As a result, the leaked session ID could be used to perform subsequent API calls without restrictions."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Revive", "product": "Adserver", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0.7", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/3783738"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "credits": [{"lang": "en", "value": "Kenji Subagja (garuthacktivist)", "type": "finder"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-06-26T01:11:14.060Z"}}}}

{}

{}

{}

{"created": "2026-06-26T04:00:07.184188+00:00", "title": "Bypass Admin\u2011Only Restriction via Leaked XML\u2011RPC Session ID in Revive Adserver", "updated": "2026-06-26T04:00:07.184194+00:00", "vendors": []}