CVE-2026-50739

Summary

A bypass for CVE‑2026‑34913 exists with proper ownership validation that had not been applied to the reverse operation of linking campaigns and trackers through the tracker-campaigns.php script in Revive Adserver 6.0.7 and earlier. As a result, a low‑privileged user could link their trackers to campaigns owned by other managers on the same instance, leading to inconsistent ownership relationships.

Affected Software

VendorProductVersion RangeStatus
ReviveAdserver0 <= 6.0.7affected

Weaknesses

  • CWE-284: CWE-284 Improper Access Control - Generic

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References