Cyber Resilience

CVE-2026-34456

Critical

Published: 01 April 2026

Published
01 April 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0046 36.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34456 is a critical-severity Improper Access Control (CWE-284) vulnerability in Reviactyl Reviactyl. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-34456 is a high-severity vulnerability (CVSS 3.1 score of 9.1) affecting Reviactyl, an open-source game server management panel built with Laravel, React, FilamentPHP, Vite, and Go. The issue resides in the OAuth authentication flow and impacts versions from 26.2.0-beta.1 up to but not including 26.2.0-beta.5. It enables automatic linking of social accounts solely based on matching email addresses, bypassing proper verification and mapped to CWE-284 (Improper Access Control).

Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction required. By creating or controlling a social account—such as those from Google, GitHub, or Discord—using a victim's email address, the attacker triggers automatic account linkage during OAuth flow. This grants full access to the victim's Reviactyl account without needing their password or prior authentication, resulting in complete account takeover with high confidentiality and integrity impacts but no availability disruption.

The vulnerability has been patched in Reviactyl version 26.2.0-beta.5, as detailed in the project's GitHub security advisory (GHSA-8mcf-rp68-xhfg), release notes, and the fixing commit (fe0c29fc62fefe354c9ab8936dfe30fdb586a896). Security practitioners should urge users to upgrade immediately to the patched version and review OAuth configurations to prevent email-based account linking abuses.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching…

more

email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability resides in the OAuth flow of a web-based game server management panel, allowing unauthenticated network attackers to exploit improper access control for account takeover without credentials or user interaction, directly mapping to exploitation of public-facing applications for initial access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-44277Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-50900Shared CWE-284
CVE-2025-7016Shared CWE-284

Affected Assets

reviactyl
reviactyl
26.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access control policies and associated access enforcers to prevent unauthorized account linking based solely on email matching during OAuth flows.

prevent

Manages identity providers and authorization servers to ensure robust verification of OAuth assertions beyond email addresses, blocking automatic account linkage exploits.

prevent

Implements account management processes to validate and authorize linkages between local accounts and external social identities, mitigating unauthorized takeovers.

References