A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: "The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal."
The CVSS score for this vulnerability is 5.5, categorizing it as medium severity. The risk to organizations includes potential unauthorized access due to improper access controls, which could lead to data integrity issues. Thus, organizations should address this vulnerability in their priority patch cycle.
The vulnerability is characterized by a network attack vector with low complexity, requiring no privileges or user interaction. While the immediate impact on confidentiality and availability is none, the integrity impact is assessed as low. Organizations are advised to upgrade their versions of eyeo Adblock Plus to mitigate the vulnerabilities associated with this flaw.
The exploit has been made public; however, it does not lead to permanent access to premium features. Instead, a short-lived trial license is issued, which lasts about 24 hours unless a valid subscription is validated. This should provide some reassurance, though organizations should still remain vigilant.
Vulnerability Details
The official CVE description states that the issue is found in the eyeo Adblock Plus up to version 4.36.2. The vulnerability relates specifically to improper access controls in the premium.preload.js file, which is part of the Legacy Premium Activation component.
The CVSS score of this vulnerability is 5.5, denoting medium severity. This score is derived from its low attack complexity and the fact that it does not require user interaction or privileges. The publication date of this vulnerability is May 3, 2026.
Technical Analysis
The root cause of this vulnerability is the legacy Premium activation flow within eyeo Adblock Plus. The manipulation of the postMessage function can lead to improper access controls, allowing for potential remote exploitation. The attack vector is through the network, and the attack complexity is low, meaning that an attacker does not require advanced skills to exploit this vulnerability.
No privileges are required to exploit this vulnerability, and user interaction is not necessary. The potential impacts include a low integrity impact, as unauthorized changes may occur, while confidentiality and availability remain unaffected.
Risk & Impact Analysis
Organizations utilizing eyeo Adblock Plus should assess the risk associated with this vulnerability. The improper access controls could lead to a situation where attackers exploit the flaw to manipulate premium features, albeit temporarily. While the vendor has indicated that the risk is minimal, organizations should not ignore potential impacts on user trust and application integrity.
Given that the vulnerability has been made public, organizations should prioritize the patching of affected systems. The CVSS score of 5.5 underscores the need for prompt action to mitigate potential risks.
Exploitation Status
Signal | Status |
|---|---|
Known Exploit | No |
Public PoC | No |
Actively Exploited | No |
Ransomware Use | No |
Affected Versions
This vulnerability affects eyeo Adblock Plus versions up to 4.36.2 on Chrome. Organizations should ensure they are using the latest version to mitigate risk.
Mitigation & Remediation
To remediate this vulnerability, organizations should upgrade to the latest version of eyeo Adblock Plus. This will ensure that the deprecated Legacy Premium Activation flow is no longer in use. Additionally, security testing should be conducted to validate the effectiveness of the patch. Organizations should consider implementing continuous security testing to maintain ongoing compliance and security posture.
Detection Guidance
Organizations should monitor logs for unusual access patterns or behavior that may indicate attempts to exploit this vulnerability. Additionally, any changes to the legacy activation flow should be tracked to ensure that no unauthorized access occurs.
AppSecure Threat Intelligence Insight
The identification of this vulnerability highlights the need for organizations to regularly review and upgrade legacy systems. As technology evolves, older systems may become more susceptible to vulnerabilities. The transition to user account-based licensing is a positive step for eyeo, but organizations must remain vigilant against potential exploitation of legacy functionalities.
For further insights on improving application security, organizations can refer to our guide on penetration testing methodologies and other security practices.
Continued education on security protocols can significantly aid in reducing the risk of exploitation, especially for legacy systems still in operation.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
.webp)