CVE-2026-34456 Overview
CVE-2026-34456 is a critical authentication bypass in Reviactyl, an open-source game server management panel built on Laravel, React, FilamentPHP, Vite, and Go. The OAuth authentication flow automatically links social accounts to existing local accounts based solely on matching email addresses. An attacker who controls a Google, GitHub, or Discord account using a victim's email address can log in as the victim without knowing the password. The flaw affects Reviactyl versions 26.2.0-beta.1 through 26.2.0-beta.4 and is patched in 26.2.0-beta.5.
Critical Impact
Unauthenticated remote attackers can achieve full account takeover on affected Reviactyl instances by linking an attacker-controlled OAuth identity to any victim email address.
Affected Products
- Reviactyl Panel 26.2.0-beta.1
- Reviactyl Panel 26.2.0-beta.2 through 26.2.0-beta.3
- Reviactyl Panel 26.2.0-beta.4
Discovery Timeline
- 2026-04-01 - CVE-2026-34456 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2026-34456
Vulnerability Analysis
The vulnerability is an improper access control flaw [CWE-284] in Reviactyl's OAuth login handler. When a user authenticates through a supported OAuth provider such as Google, GitHub, or Discord, the panel queries its local user database for an account matching the email address returned by the provider. If a match exists, the panel logs the requester in as that local user and links the OAuth identity to the account.
Reviactyl performs this linking without requiring the user to be already authenticated and without verifying ownership of the local account. The matching email address is treated as sufficient proof of identity. As a result, the attacker never needs to supply the victim's password or complete any secondary verification step.
The vulnerability is remotely exploitable over the network with no privileges and no user interaction required on the victim side. Any Reviactyl operator who enabled OAuth login between beta.1 and beta.4 is exposed.
Root Cause
The root cause is a trust-boundary error in the social-login callback logic. Email addresses returned by third-party OAuth providers are not unique identifiers and are not proof of account ownership for a separate system. By using the email as the sole linking key, Reviactyl conflated identity assertions from external providers with identity ownership inside the panel.
Attack Vector
An attacker first creates a new account at a supported OAuth provider, such as Google, GitHub, or Discord, using the victim's email address. The attacker then initiates the OAuth login flow on the target Reviactyl panel. The panel receives the email from the provider, finds the matching local account, and signs the attacker in with the victim's privileges. If the victim is an administrator, the attacker inherits full administrative control of the panel and managed game servers.
The vulnerability mechanism is described in the GitHub Security Advisory GHSA-8mcf-rp68-xhfg. No public proof-of-concept exploit is currently published.
Detection Methods for CVE-2026-34456
Indicators of Compromise
- OAuth login events that link a new social provider identity to an existing local account without a preceding authenticated session for that account.
- Successful logins from new IP addresses or geographies shortly after a first-time OAuth association event.
- Unexpected administrative actions such as user creation, permission changes, or server allocation changes following a social login.
Detection Strategies
- Review Reviactyl authentication logs for oauth_link or social-login events that occurred without a corresponding session-bound link request.
- Correlate OAuth provider subject identifiers against historical values for each account and alert when a new provider subject is bound to an existing user.
- Hunt for password-reset or email-change activity occurring after a first-time OAuth login on privileged accounts.
Monitoring Recommendations
- Forward Laravel application logs and web server access logs to a centralized logging or SIEM platform for retention and correlation.
- Alert on OAuth callback requests followed within seconds by privileged actions in the FilamentPHP admin panel.
- Track the Reviactyl version string in deployment inventories and flag any instance still running 26.2.0-beta.1 through 26.2.0-beta.4.
How to Mitigate CVE-2026-34456
Immediate Actions Required
- Upgrade Reviactyl to version 26.2.0-beta.5 or later, as published in the GitHub Release v26.2.0-beta.5.
- Audit all existing OAuth account links and revoke any that cannot be confirmed by the legitimate account owner.
- Force a password reset and re-authentication for administrative users on instances that ran an affected beta release.
Patch Information
The issue is fixed in Reviactyl 26.2.0-beta.5. The remediation is included in commit fe0c29fc62fefe354c9ab8936dfe30fdb586a896, available in the Reviactyl panel commit. The patch removes automatic email-based linking and requires an authenticated session before binding a social identity to a local account.
Workarounds
- Disable OAuth social login providers (Google, GitHub, Discord) in the Reviactyl configuration until the upgrade is applied.
- Restrict panel network exposure to trusted administrative networks or a VPN until patched.
- Require administrators to use local credentials with multi-factor authentication while OAuth flows remain disabled.
# Configuration example: upgrade Reviactyl panel to the patched release
git fetch --tags
git checkout v26.2.0-beta.5
php artisan down
composer install --no-dev --optimize-autoloader
php artisan migrate --force
php artisan config:cache
php artisan up
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
