Impact Analysis

This vulnerability allows an attacker to take over your Reviactyl account without needing your password or any prior authentication.

Once the attacker controls your account, they can access all data and perform any actions available to you within the panel, leading to a full compromise of your account.

Because the attack can be performed remotely over the network with low complexity and no user interaction, it poses a severe security risk.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-34456 is a critical vulnerability in the OAuth authentication flow of the Reviactyl game server management panel. The issue occurs because the system automatically links social login accounts to existing user accounts based solely on matching email addresses.

An attacker can create or control a social account (such as Google, GitHub, or Discord) using the victim's email address and gain full access to the victim's Reviactyl account without knowing their password or any prior authentication.

This automatic linking behavior was removed in the patched version 26.2.0-beta.5, which now requires users to manually link social accounts after authenticating with their email and password.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should upgrade the reviactyl panel to version 26.2.0-beta.5 or later, where the issue has been patched.

As a temporary mitigation before upgrading, disable all OAuth login providers to reduce exposure to the vulnerability.

The patch removes automatic linking of social accounts based on email matching and requires manual linking after user authentication, preventing unauthorized account takeover.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an attacker to take over user accounts without authentication by exploiting automatic linking of social accounts based on email addresses. This results in unauthorized access to sensitive user data and full account control.

Such unauthorized access and potential data exposure can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Because the vulnerability compromises confidentiality and integrity of user accounts, affected organizations may face compliance risks, including failure to protect personal data adequately and potential legal and financial consequences.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves automatic linking of social login accounts based solely on matching email addresses in the OAuth authentication flow of the reviactyl/panel. Detection would primarily involve verifying the version of the reviactyl panel software running on your system.

You can detect if your system is vulnerable by checking the installed version of the reviactyl panel. Versions from 26.2.0-beta.1 up to but not including 26.2.0-beta.5 are affected.

Suggested commands to check the installed version depend on your deployment method. For example, if you have access to the panel's source code or installation directory, you might check the version via Git or package manager commands.

• Run `git -C /path/to/reviactyl/panel describe --tags` to get the current version if installed via Git.
• Check the version in the composer.json or composer.lock files if using Composer.
• Look for the version in the application UI or about page if available.

Additionally, monitoring login attempts via OAuth providers for suspicious automatic account linking behavior could indicate exploitation attempts, but no specific network or system commands are provided in the available resources.

Useful 0 Not Useful 0