A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: "The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal."
CVE-2026-7686 is a medium-severity vulnerability in Adblock Plus for Chrome (versions up to 4.36.2) affecting the Legacy Premium Activation component through improper access controls in the postMessage function. The vulnerability allows remote exploitation to obtain temporary trial licenses, though permanent Premium access is not granted and licenses expire within 24 hours.
تؤثر هذه الثغرة على مكون تفعيل Premium القديم في Adblock Plus والذي تم إيقاف استخدامه بالفعل من قبل eyeo. يسمح الاستغلال بالحصول على رخصة تجريبية قصيرة الأجل (حوالي 24 ساعة) بدلاً من الوصول الدائم إلى Premium. خادم الترخيص يتحقق من الاشتراكات الحقيقية عند الفحص التالي وتنتهي الرخصة التجريبية إذا لم يكن هناك اشتراك صحيح.
A medium-severity vulnerability exists in Adblock Plus Chrome extension up to version 4.36.2 that allows improper access to Premium features through manipulation of the postMessage function in legacy activation code. Exploitation results in short-lived trial licenses (approximately 24 hours) rather than permanent Premium access.
Update Adblock Plus to version 4.36.3 or later immediately. Users should verify their Premium subscription status through the official licensing system. Organizations should enforce browser extension policies to restrict or monitor Adblock Plus installations. Monitor for suspicious Premium activation attempts in access logs.
قم بتحديث Adblock Plus إلى الإصدار 4.36.3 أو أحدث فوراً. يجب على المستخدمين التحقق من حالة اشتراك Premium الخاص بهم من خلال نظام الترخيص الرسمي. يجب على المنظمات فرض سياسات امتدادات المتصفح لتقييد أو مراقبة تثبيتات Adblock Plus. راقب محاولات تفعيل Premium المريبة في سجلات الوصول.