CVE-2026-34456— Reviactyl 访问控制错误漏洞

Reviactyl: OAuth account takeover via auto-linking

Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

访问控制不恰当

Reviactyl 访问控制错误漏洞

Reviactyl是Reviactyl开源的一个游戏服务器管理面板。 Reviactyl 26.2.0-beta.1至26.2.0-beta.5之前版本存在访问控制错误漏洞，该漏洞源于OAuth身份验证流程中存在漏洞，仅基于匹配的电子邮件地址自动链接社交账户，可能导致攻击者使用受害者的电子邮件地址创建或控制社交账户，在不知道密码的情况下获得对受害者账户的完全访问权限，实现账户接管。

N/A

N/A