Skip to main content

Google CVE-2026-34456

| EUVDEUVD-2026-18009 CRITICAL
Improper Access Control (CWE-284)
2026-04-01 security-advisories@github.com
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:47 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
26.2.0-beta.5
EUVD ID Assigned
Apr 01, 2026 - 20:27 euvd
EUVD-2026-18009
Analysis Generated
Apr 01, 2026 - 20:27 vuln.today
CVE Published
Apr 01, 2026 - 20:16 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.

AnalysisAI

Account takeover via OAuth email auto-linking affects Reviactyl game server management panel versions 26.2.0-beta.1 through 26.2.0-beta.4, allowing unauthenticated remote attackers to gain full access to victim accounts by registering social OAuth accounts (Google, GitHub, Discord) with matching email addresses. The CVSS 9.1 (Critical) score reflects network-based exploitation requiring no authentication, low complexity, and high confidentiality/integrity impact. No public exploit identified at time of analysis, though the vulnerability mechanism is straightforward and publicly documented in GitHub advisory GHSA-8mcf-rp68-xhfg. Vendor-released patch: version 26.2.0-beta.5.

Technical ContextAI

Reviactyl is an open-source game server management panel built on Laravel (PHP framework) with React frontend, FilamentPHP admin interface, Vite build tooling, and Go backend components. The vulnerability stems from improper access control (CWE-284) in the OAuth social authentication integration flow. The panel's OAuth implementation automatically linked external identity provider accounts (Google, GitHub, Discord) to existing Reviactyl user accounts based solely on email address matching, without verifying email ownership or requiring existing authentication. Because OAuth providers do not universally verify email ownership during account creation, an attacker could register a social account at a provider using a victim's email address (even if the attacker cannot access that email inbox), then authenticate to Reviactyl via OAuth. The system would treat the matching email as sufficient proof of identity and grant access to the existing account. This violates secure OAuth implementation patterns, which require either email verification or explicit user consent before account linking, particularly when the email address has not been verified by the OAuth provider.

RemediationAI

Upgrade immediately to Reviactyl panel version 26.2.0-beta.5 or later, which contains the authentication flow fix implemented in commit fe0c29fc62fefe354c9ab8936dfe30fdb586a896. The patched release is available at https://github.com/reviactyl/panel/releases/tag/v26.2.0-beta.5. After upgrading, administrators should audit user accounts for suspicious OAuth-linked social accounts created during the vulnerable period, particularly accounts where social linking occurred without prior password-based authentication. Review authentication logs for unusual OAuth login patterns or account access from unexpected geographic locations. Consider temporarily disabling social OAuth authentication features if immediate patching is not feasible, forcing users to authenticate via password until the upgrade can be completed. No temporary workaround exists that maintains OAuth functionality while mitigating the vulnerability, making version upgrade the only effective remediation.

Share

CVE-2026-34456 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy