9.8

CVE-2026-34456

Reviactyl: OAuth account takeover via auto-linking

Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ReviactylReviactyl Version26.2.0 Updatebeta1
ReviactylReviactyl Version26.2.0 Updatebeta2
ReviactylReviactyl Version26.2.0 Updatebeta3
ReviactylReviactyl Version26.2.0 Updatebeta4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.46% 0.36
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/reviactyl/panel/security/advisories/GHSA-8mcf-rp68-xhfg
Patch
Vendor Advisory
Mitigation
https://github.com/reviactyl/panel/commit/fe0c29fc62fefe354c9ab8936dfe30fdb586a896
Patch
https://github.com/reviactyl/panel/releases/tag/v26.2.0-beta.5
Product
Release Notes