CVE-2026-34912
Revive Adserver Missing Access Control Zone Linking Vulnerability
Description
A missing access control check when linking banners or campaigns to a zone through the zone-include.php script of Revive Adserver 6.0.6 and earlier, or via its API allows a low‑privileged user could link their zones to banners or campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that banners and campaigns can only be linked to zones managed by the same account.
INFO
Published Date :
June 23, 2026, 4:14 p.m.
Last Modified :
June 23, 2026, 4:14 p.m.
Remotely Exploit :
No
Source :
hackerone
Solution
- Implement ownership checks for linking banners and campaigns.
- Ensure linking is restricted to same account zones.
- Review zone-include.php and API for access controls.
- Update Revive Adserver to the latest version.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-34912 vulnerability anywhere in the article.