Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.
AnalysisAI
Account takeover via OAuth email auto-linking affects Reviactyl game server management panel versions 26.2.0-beta.1 through 26.2.0-beta.4, allowing unauthenticated remote attackers to gain full access to victim accounts by registering social OAuth accounts (Google, GitHub, Discord) with matching email addresses. The CVSS 9.1 (Critical) score reflects network-based exploitation requiring no authentication, low complexity, and high confidentiality/integrity impact. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward and publicly documented in GitHub advisory GHSA-8mcf-rp68-xhfg. Vendor-released patch: version 26.2.0-beta.5.
Technical ContextAI
Reviactyl is an open-source game server management panel built on Laravel (PHP framework) with React frontend, FilamentPHP admin interface, Vite build tooling, and Go backend components. The vulnerability stems from improper access control (CWE-284) in the OAuth social authentication integration flow. The panel's OAuth implementation automatically linked external identity provider accounts (Google, GitHub, Discord) to existing Reviactyl user accounts based solely on email address matching, without verifying email ownership or requiring existing authentication. Because OAuth providers do not universally verify email ownership during account creation, an attacker could register a social account at a provider using a victim's email address (even if the attacker cannot access that email inbox), then authenticate to Reviactyl via OAuth. The system would treat the matching email as sufficient proof of identity and grant access to the existing account. This violates secure OAuth implementation patterns, which require either email verification or explicit user consent before account linking, particularly when the email address has not been verified by the OAuth provider.
RemediationAI
Upgrade immediately to Reviactyl panel version 26.2.0-beta.5 or later, which contains the authentication flow fix implemented in commit fe0c29fc62fefe354c9ab8936dfe30fdb586a896. The patched release is available at https://github.com/reviactyl/panel/releases/tag/v26.2.0-beta.5. After upgrading, administrators should audit user accounts for suspicious OAuth-linked social accounts created during the vulnerable period, particularly accounts where social linking occurred without prior password-based authentication. Review authentication logs for unusual OAuth login patterns or account access from unexpected geographic locations. Consider temporarily disabling social OAuth authentication features if immediate patching is not feasible, forcing users to authenticate via password until the upgrade can be completed. No temporary workaround exists that maintains OAuth functionality while mitigating the vulnerability, making version upgrade the only effective remediation.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18009