cvedb.io
CVE-2026-34456
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2026-04-01T20:16:26.120 · Last modified 2026-06-17T10:39:04.920

Summary

Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.

Affected products

reviactyl — reviactyl

Does this affect you?

Add your gear to cvedb and we'll alert you only when reviactyl ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.