Reviactyl is an open-source game server management panel leveraging Laravel, React, FilamentPHP, Vite, and Go. Versions from 26.2.0-beta.1 up to but not including 26.2.0-beta.5 contain a critical vulnerability (CVE-2026-34456) classified as CWE-284: Improper Access Control. The vulnerability arises from the OAuth authentication flow's flawed logic that automatically links social login accounts to existing Reviactyl user accounts solely based on matching email addresses. This means if an attacker can create or control a social login account (such as Google, GitHub, or Discord) using the victim’s email address, the system will link that social account to the victim’s Reviactyl account without requiring any password or additional verification. Consequently, the attacker gains full control over the victim’s panel account, enabling unauthorized access to game server management functions. The vulnerability requires no prior authentication or user interaction and can be exploited remotely over the network. The issue was identified and patched in version 26.2.0-beta.5. The CVSS v3.1 base score is 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating a critical severity with high confidentiality and integrity impact but no availability impact. No known exploits are currently reported in the wild, but the ease of exploitation and impact make it a high-risk vulnerability for affected users.

The primary impact of CVE-2026-34456 is a complete account takeover of Reviactyl panel user accounts without requiring authentication. This compromises the confidentiality and integrity of user accounts, allowing attackers to manage game servers, alter configurations, or disrupt services indirectly. For organizations relying on Reviactyl for game server management, this could lead to unauthorized server control, data leakage, or sabotage of gaming environments. Since the vulnerability does not affect availability directly, denial-of-service is not the main concern, but the loss of control over administrative accounts can have severe operational and reputational consequences. The vulnerability’s ease of exploitation and lack of required user interaction increase the risk of widespread abuse if attackers target vulnerable installations. Organizations with exposed Reviactyl panels running affected versions are at significant risk of compromise, especially if social login options are enabled and email addresses are predictable or publicly known.

1. Immediate upgrade of all Reviactyl panel instances to version 26.2.0-beta.5 or later, where the vulnerability is patched. 2. Review and restrict OAuth social login configurations to ensure proper verification beyond email matching, such as requiring explicit user consent or multi-factor authentication. 3. Implement monitoring and alerting for unusual login patterns or new social account linkages to detect potential account takeover attempts. 4. Conduct audits of existing user accounts to identify suspicious linked social accounts and unlink or reset affected accounts. 5. Educate users and administrators about the risks of using social login with shared or publicly known email addresses. 6. If upgrading immediately is not feasible, temporarily disable social login features or restrict access to the panel via network controls to trusted IPs. 7. Employ additional identity verification mechanisms for account linking processes to prevent unauthorized automatic linking based solely on email. 8. Regularly review and update OAuth integration code to follow best security practices and avoid similar logic flaws.