CVE-2026-34456 — CRITICAL (9.1)

Vulnerability Description

Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Reviactyl	Reviactyl	26.2.0

Related Weaknesses (CWE)

CWE-284

References

https://github.com/reviactyl/panel/commit/fe0c29fc62fefe354c9ab8936dfe30fdb586a8Patch
https://github.com/reviactyl/panel/releases/tag/v26.2.0-beta.5ProductRelease Notes
https://github.com/reviactyl/panel/security/advisories/GHSA-8mcf-rp68-xhfgMitigationPatchVendor Advisory

FAQ

What is CVE-2026-34456?

CVE-2026-34456 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth...

How severe is CVE-2026-34456?

CVE-2026-34456 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-34456?

Check the references section above for vendor advisories and patch information. Affected products include: Reviactyl Reviactyl.