{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34913", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-03-31T15:00:06.522Z", "datePublished": "2026-06-23T16:14:38.661Z", "dateUpdated": "2026-06-23T17:23:05.997Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low\u2011privileged user to link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Revive", "product": "Adserver", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "6.0.6", "versionType": "semver"}]}], "references": [{"url": "https://hackerone.com/reports/3650582"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "credits": [{"lang": "en", "value": "Ahmed Ghadban (DarkyOS)", "type": "reporter"}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-06-23T16:14:38.661Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T17:22:59.326404Z", "id": "CVE-2026-34913", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T17:23:05.997Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34913", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T17:22:59.326404Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T17:23:03.209Z"}}], "cna": {"credits": [{"lang": "en", "type": "reporter", "value": "Ahmed Ghadban (DarkyOS)"}], "metrics": [{"cvssV3_0": {"version": "3.0", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "Revive", "product": "Adserver", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "6.0.6"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/3650582"}], "descriptions": [{"lang": "en", "value": "A missing access control check when linking trackers to campaigns through the campaign-trackers.php script of Revive Adserver 6.0.6 and earlier could allow a low\u2011privileged user to link their trackers to campaigns owned by other managers on the same instance, resulting in inconsistent ownership relationships. Ownership validation has been added to ensure that campaigns can only be linked to trackers owned by the same advertiser."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control - Generic"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-06-23T16:14:38.661Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34913", "state": "PUBLISHED", "dateUpdated": "2026-06-23T17:23:05.997Z", "dateReserved": "2026-03-31T15:00:06.522Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-06-23T16:14:38.661Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,6.0.6]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Adserver", "source": "cna", "vendor": "Revive"}, "product": "adserver", "vendor": "revive"}], "created": "2026-06-23T19:00:07.422532+00:00", "title": "Missing Access Control in Tracker\u2011Campaign Linking Allows Unauthorized Ownership Manipulation", "updated": "2026-06-23T20:15:04.420529+00:00", "vendors": ["revive", "revive$PRODUCT$adserver"]}