CVE-2026-34917 | Low‑privileged session IDs generated for the web admin conso… | CVSS 4.3 MEDIUM

Description

Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context (web/API) is now recorded along with other session data, preventing session IDs from being used interchangeably.

Metadata

CVE ID: CVE-2026-34917
State: PUBLISHED
Assigner: hackerone
Reserved: 2026-03-31 15:00 UTC
Published: 2026-06-23 16:14 UTC
Last updated: 2026-06-23 17:24 UTC
Primary CWE: CWE-287
CWE-287 Improper Authentication - Generic
Vendor / Product: Revive / Adserver
Sources: cve.org · NVD

Severity & Metrics

4.3 MEDIUM CVSS 3.0

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Revive	Adserver	—	0 ≤ 6.0.6

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287 Improper Authentication - Generic

CVSS scores (1)

Score	Severity	Version	Source	Vector
4.3	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (1)

https://hackerone.com/reports/3672641