CVE-2026-34456: CWE-284: Improper Access Control in reviactyl panel
A critical improper access control vulnerability (CWE-284) exists in the Reviactyl panel versions 26. 2. 0-beta. 1 through before 26. 2. 0-beta. 5. The flaw is in the OAuth authentication flow, where social accounts are automatically linked based solely on matching email addresses. An attacker controlling a social account with the victim's email can gain full access to the victim's panel account without needing the victim's password. This leads to a full account takeover without prior authentication.
AI Analysis
Technical Summary
Reviactyl panel, an open-source game server management tool, had a vulnerability in its OAuth authentication flow in versions from 26.2.0-beta.1 up to but not including 26.2.0-beta.5. The vulnerability allowed automatic linking of social accounts based solely on email address matching, enabling attackers who control a social account with the victim's email to bypass authentication and take over the victim's account. This improper access control issue (CWE-284) was fixed in version 26.2.0-beta.5.
Potential Impact
Successful exploitation results in a full account takeover without requiring the victim's password or prior authentication. This compromises confidentiality and integrity of the victim's account but does not affect availability. The CVSS v3.1 score is 9.1 (critical), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade Reviactyl panel to version 26.2.0-beta.5 or later, where this vulnerability has been patched. No other mitigations are indicated or required as the fix addresses the root cause.
CVE-2026-34456: CWE-284: Improper Access Control in reviactyl panel
Description
A critical improper access control vulnerability (CWE-284) exists in the Reviactyl panel versions 26. 2. 0-beta. 1 through before 26. 2. 0-beta. 5. The flaw is in the OAuth authentication flow, where social accounts are automatically linked based solely on matching email addresses. An attacker controlling a social account with the victim's email can gain full access to the victim's panel account without needing the victim's password. This leads to a full account takeover without prior authentication.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Reviactyl panel, an open-source game server management tool, had a vulnerability in its OAuth authentication flow in versions from 26.2.0-beta.1 up to but not including 26.2.0-beta.5. The vulnerability allowed automatic linking of social accounts based solely on email address matching, enabling attackers who control a social account with the victim's email to bypass authentication and take over the victim's account. This improper access control issue (CWE-284) was fixed in version 26.2.0-beta.5.
Potential Impact
Successful exploitation results in a full account takeover without requiring the victim's password or prior authentication. This compromises confidentiality and integrity of the victim's account but does not affect availability. The CVSS v3.1 score is 9.1 (critical), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity.
Mitigation Recommendations
Upgrade Reviactyl panel to version 26.2.0-beta.5 or later, where this vulnerability has been patched. No other mitigations are indicated or required as the fix addresses the root cause.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-27T18:18:14.895Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cd7b33e6bfc5ba1df4980f
Added to database: 4/1/2026, 8:08:19 PM
Last enriched: 4/10/2026, 12:09:21 AM
Last updated: 5/21/2026, 11:53:23 AM
Views: 36
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.