Revive Adserver: Eight Access Control and Injection Flaws Disclosed Together
Key findings • Eight vulnerabilities in Revive Adserver 6.0.6 and earlier disclosed on June 23, 2026. • Flaws include missing access control, enabling unauthorized linking of trackers and ban…

Key findings
- Eight vulnerabilities in Revive Adserver 6.0.6 and earlier disclosed on June 23, 2026.
- Flaws include missing access control, enabling unauthorized linking of trackers and banners, and inconsistent ownership.
- SQL injection and PHP code execution risks due to insufficient input validation and sanitization.
- Low-privileged users can exploit these vulnerabilities to manipulate data and gain unauthorized access.
- Vendor has released patches; updating to a secure version is crucial for mitigation.
On June 23, 2026, a batch of eight vulnerabilities was disclosed for Revive Adserver, affecting version 6.0.6 and earlier. These vulnerabilities, primarily stemming from missing access control checks and insufficient input sanitization, could allow low-privileged users to gain unauthorized access, manipulate data, and potentially execute malicious code. The disclosures highlight significant security weaknesses in how the ad server handles user input and permissions, potentially leading to data breaches and system compromise.
Several vulnerabilities revolve around improper access control, allowing unauthorized actions. CVE-2026-34913 and CVE-2026-34912, for instance, involve a missing access control check in the campaign-trackers.php and zone-include.php scripts respectively. These flaws permit low-privileged users to link their trackers or zones to campaigns/banners owned by other managers, creating inconsistent ownership. Similarly, CVE-2026-44958, through the banner-edit.php script, allows an advertiser-level user to activate or deactivate banners without proper permissions, solely based on banner edit privileges. CVE-2026-44957, affecting the XML-RPC API, also suffers from a missing access control check, enabling reassignment of entities and leading to ownership inconsistencies, though it may require combination with other vulnerabilities.
Other critical issues stem from inadequate input validation and sanitization. CVE-2026-34914 and CVE-2026-34915, both related to the zone-include.php script, are susceptible to blind SQL injection attacks due to a lack of input sanitization on the clientid parameter. Furthermore, CVE-2026-34916 and CVE-2026-44959 present a risk of PHP code injection. In these cases, a missing validation of user input when saving delivery limitations allows a low-privileged user to inject malicious PHP code into the compiledlimitations field, which can then be executed during banner delivery.
The vendor has addressed these vulnerabilities by improving input sanitization and validation across affected scripts and APIs. Patches have been released, and users are strongly advised to update to a version that includes these security enhancements. The consistent disclosure of these eight vulnerabilities on the same day indicates a coordinated effort to address a cluster of security flaws within Revive Adserver.
This batch of vulnerabilities underscores the importance of rigorous access control and input validation in web applications, especially those handling sensitive advertising data and user interactions. Users of Revive Adserver should prioritize updating their installations to mitigate the risks associated with these flaws and prevent potential exploitation by malicious actors. The consistent nature of these bugs suggests a need for a thorough security review of the codebase.