CVE-2026-34456
Published: 01 April 2026
Summary
CVE-2026-34456 is a critical-severity Improper Access Control (CWE-284) vulnerability in Reviactyl Reviactyl. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved access control policies and associated access enforcers to prevent unauthorized account linking based solely on email matching during OAuth flows.
Manages identity providers and authorization servers to ensure robust verification of OAuth assertions beyond email addresses, blocking automatic account linkage exploits.
Implements account management processes to validate and authorize linkages between local accounts and external social identities, mitigating unauthorized takeovers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability resides in the OAuth flow of a web-based game server management panel, allowing unauthenticated network attackers to exploit improper access control for account takeover without credentials or user interaction, directly mapping to exploitation of public-facing applications for initial access.
NVD Description
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching…
more
email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.
Deeper analysisAI
CVE-2026-34456 is a high-severity vulnerability (CVSS 3.1 score of 9.1) affecting Reviactyl, an open-source game server management panel built with Laravel, React, FilamentPHP, Vite, and Go. The issue resides in the OAuth authentication flow and impacts versions from 26.2.0-beta.1 up to but not including 26.2.0-beta.5. It enables automatic linking of social accounts solely based on matching email addresses, bypassing proper verification and mapped to CWE-284 (Improper Access Control).
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By creating or controlling a social account—such as those from Google, GitHub, or Discord—using a victim's email address, the attacker triggers automatic account linkage during OAuth flow. This grants full access to the victim's Reviactyl account without needing their password or prior authentication, resulting in complete account takeover with high confidentiality and integrity impacts but no availability disruption.
The vulnerability has been patched in Reviactyl version 26.2.0-beta.5, as detailed in the project's GitHub security advisory (GHSA-8mcf-rp68-xhfg), release notes, and the fixing commit (fe0c29fc62fefe354c9ab8936dfe30fdb586a896). Security practitioners should urge users to upgrade immediately to the patched version and review OAuth configurations to prevent email-based account linking abuses.
Details
- CWE(s)