Platform
laravel
Component
laravel
Fixed in
26.2.1
CVE-2026-34456 is a critical vulnerability affecting Reviactyl, an open-source game server management panel built on Laravel. This flaw allows attackers to automatically link social accounts (Google, GitHub, Discord) to a victim's Reviactyl account simply by using a matching email address, resulting in complete account takeover. The vulnerability impacts Reviactyl versions 26.2.0-beta.1 through 26.2.0-beta.4, and a fix is available in version 26.2.0-beta.5.
The impact of CVE-2026-34456 is severe. An attacker can gain complete control of a Reviactyl user's account without needing any prior authentication, such as a password. This allows them to modify server configurations, access sensitive data related to game servers, and potentially compromise the underlying infrastructure. The ease of exploitation, requiring only a matching email address, significantly increases the risk of widespread abuse. This vulnerability is particularly concerning given Reviactyl's role in managing game servers, which often contain valuable data and configurations.
This vulnerability was publicly disclosed on 2026-04-01. There is currently no indication of active exploitation campaigns targeting Reviactyl. The relatively straightforward nature of the exploit, requiring only email address matching, suggests a potential for opportunistic attacks. The vulnerability has not been added to the CISA KEV catalog at the time of writing.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34456 is to immediately upgrade Reviactyl to version 26.2.0-beta.5 or later. If upgrading is not immediately feasible due to compatibility issues or downtime constraints, consider temporarily disabling automatic social account linking within Reviactyl's configuration. While this will impact user convenience, it will significantly reduce the attack surface. Monitor Reviactyl logs for suspicious account linking activity, specifically looking for new social accounts associated with existing user email addresses. After upgrading, confirm the fix by attempting to link a social account using an email address already associated with an existing Reviactyl account; the linking process should be blocked.
Update Reviactyl Panel to version 26.2.0-beta.5 or higher. This version corrects the OAuth account automatic linking vulnerability based on email addresses, preventing account takeover.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34456 is a critical vulnerability in Reviactyl that allows attackers to gain full account access by linking social accounts using a matching email address, bypassing password authentication.
You are affected if you are using Reviactyl versions 26.2.0-beta.1 through 26.2.0-beta.4. Upgrade immediately to mitigate the risk.
Upgrade Reviactyl to version 26.2.0-beta.5 or later. As a temporary workaround, disable automatic social account linking in the configuration.
There is currently no confirmed evidence of active exploitation, but the ease of exploitation suggests a potential for opportunistic attacks.
Refer to the Reviactyl project's official release notes and security advisories on their GitHub repository or website for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.