Reviactyl OAuth Account Takeover (CVE-2026-34456)
CVE-2026-34456
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth...
Overview
A critical authentication flaw has been identified in the open-source Reviactyl game server management panel. The vulnerability, tracked as CVE-2026-34456, exists in the OAuth account linking logic. It allows an attacker to take over any user account without needing a password.
Vulnerability Details
In affected versions (from 26.2.0-beta.1 to before 26.2.0-beta.5), the application’s OAuth flow automatically links a new social login provider (like Google or GitHub) to an existing local user account if the email addresses match. This process occurs without requiring any confirmation from the legitimate account holder.
An attacker can exploit this by creating a social media account using the victim’s email address. When the attacker logs into Reviactyl with this malicious social account, the system automatically grants them full access to the victim’s existing Reviactyl account. No prior authentication or knowledge of the victim’s password is required.
Impact and Risk
The impact is severe and straightforward: complete account takeover. An attacker gaining access to an administrator’s account could seize control of managed game servers, deploy malicious software, steal sensitive data, or disrupt services. The attack complexity is low, requires no user interaction, and can be performed remotely, leading to its high CVSS score of 9.1.
Remediation and Mitigation
The primary and only complete remediation is to upgrade Reviactyl to version 26.2.0-beta.5 or later, where this logic flaw has been patched.
Immediate Actions:
- Update Immediately: All users running Reviactyl versions 26.2.0-beta.1 through 26.2.0-beta.4 must upgrade to 26.2.0-beta.5 without delay.
- Audit Accounts: Review administrator and user accounts for any unrecognized OAuth provider links or suspicious activity.
- Monitor Logs: Closely monitor authentication logs for unexpected OAuth login attempts, particularly those associated with account linking events.
Until the patch is applied, consider temporarily disabling OAuth-based logins if this feature is not essential for your operations.
Security Insight
This vulnerability highlights the inherent risk in automating trust based on a single, unverified attribute like an email address. It mirrors the logic flaw seen in the GlassWorm attack, where automated systems were abused for unauthorized access. For projects like Reviactyl that integrate multiple complex frameworks (Laravel, React, Go), this underscores the critical need for security-focused integration testing, especially around third-party authentication flows which are a frequent source of architectural flaws.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
The goodoneuz/pay-uz Laravel package (<= 2.2.24) contains a critical vulnerability in the /payment/api/editable/update endpoint that allows unauthenticated attackers to overwrite existing PHP payment ...
ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical authentication bypass vulnerability in ChurchCRM's API middleware (ChurchCRM/Slim/Middleware/AuthMiddleware.php) allow...
Vulnerability in the Oracle Edge Cloud Infrastructure Designer and Visualisation Toolkit product of Oracle Open Source Projects (component: Desktop). The supported version that is affected is 0.3.0....
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their...