Plattform
laravel
Komponente
laravel
Behoben in
26.2.1
CVE-2026-34456 is a critical vulnerability affecting Reviactyl, an open-source game server management panel built on Laravel. This flaw allows attackers to automatically link social accounts (Google, GitHub, Discord) to a victim's Reviactyl account simply by using a matching email address, resulting in complete account takeover. The vulnerability impacts Reviactyl versions 26.2.0-beta.1 through 26.2.0-beta.4, and a fix is available in version 26.2.0-beta.5.
The impact of CVE-2026-34456 is severe due to the ease of exploitation and the potential for complete account takeover. An attacker only needs to control or create a social account associated with the victim's email address. Once linked, the attacker gains full administrative access to the Reviactyl panel, allowing them to modify game server settings, access player data, and potentially compromise the entire game server environment. This vulnerability could lead to data breaches, service disruptions, and unauthorized modifications to game configurations. The lack of password requirement significantly lowers the barrier to entry for attackers, making it a high-priority risk.
CVE-2026-34456 was disclosed on 2026-04-01. As of this date, there are no publicly known proof-of-concept exploits. The vulnerability's ease of exploitation, combined with the critical nature of the impact, suggests a medium probability of exploitation. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting Reviactyl instances.
Game server administrators and users of Reviactyl are at risk, particularly those who rely on social account linking for authentication. Shared hosting environments where multiple users share the same domain are also at increased risk, as an attacker could potentially leverage this vulnerability to compromise multiple accounts.
• linux / server:
journalctl -u reviactyl | grep -i "social account linking"• generic web:
curl -I https://your-reviactyl-instance/auth/social/callback | grep -i "email"disclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34456 is to immediately upgrade Reviactyl to version 26.2.0-beta.5 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider temporarily disabling social account linking within the Reviactyl configuration. While this will impact user convenience, it will prevent attackers from exploiting the vulnerability. Monitor Reviactyl logs for any suspicious account linking activity, particularly involving unfamiliar social accounts. Review and audit existing social account links to identify any potentially unauthorized connections. After upgrading, confirm the fix by attempting to link a social account using an email address you control and verifying that the linking process is blocked.
Aktualisieren Sie Reviactyl Panel auf Version 26.2.0-beta.5 oder höher. Diese Version behebt die Schwachstelle der automatischen OAuth-Konto-Verknüpfung basierend auf E-Mail-Adressen und verhindert so die Kontoübernahme.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34456 is a critical vulnerability in Reviactyl that allows attackers to gain full account access by linking social accounts using a matching email address, bypassing password authentication.
You are affected if you are using Reviactyl versions 26.2.0-beta.1 through 26.2.0-beta.4. Upgrade immediately to mitigate the risk.
Upgrade Reviactyl to version 26.2.0-beta.5 or later. As a temporary workaround, disable automatic social account linking in the configuration.
There is currently no confirmed evidence of active exploitation, but the ease of exploitation suggests a potential for opportunistic attacks.
Refer to the Reviactyl project's official release notes and security advisories on their GitHub repository or website for the latest information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine composer.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.