EUVD-2026-18009
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.
Analysis
Account takeover via OAuth email auto-linking affects Reviactyl game server management panel versions 26.2.0-beta.1 through 26.2.0-beta.4, allowing unauthenticated remote attackers to gain full access to victim accounts by registering social OAuth accounts (Google, GitHub, Discord) with matching email addresses. The CVSS 9.1 (Critical) score reflects network-based exploitation requiring no authentication, low complexity, and high confidentiality/integrity impact. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Reviactyl installations and confirm running versions against the affected range (26.2.0-beta.1 through 26.2.0-beta.4); isolate affected systems from production if possible. Within 7 days: Upgrade all affected instances to version 26.2.0-beta.5 or later per vendor advisory. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today