{"id":"CVE-2026-34456","summary":"Reviactyl: OAuth account takeover via auto-linking","details":"Reviactyl is an open-source game server management panel built using Laravel, React, FilamentPHP, Vite, and Go. From version 26.2.0-beta.1 to before version 26.2.0-beta.5, a vulnerability in the OAuth authentication flow allowed automatic linking of social accounts based solely on matching email addresses. An attacker could create or control a social account (e.g., Google, GitHub, Discord) using a victim’s email address and gain full access to the victim's account without knowing their password. This results in a full account takeover with no prior authentication required. This issue has been patched in version 26.2.0-beta.5.","aliases":["GHSA-8mcf-rp68-xhfg"],"modified":"2026-07-08T08:12:51.241387443Z","published":"2026-04-01T20:00:55.743Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34456.json","cwe_ids":["CWE-284"]},"references":[{"type":"WEB","url":"https://github.com/reviactyl/panel/releases/tag/v26.2.0-beta.5"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34456.json"},{"type":"ADVISORY","url":"https://github.com/reviactyl/panel/security/advisories/GHSA-8mcf-rp68-xhfg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34456"},{"type":"FIX","url":"https://github.com/reviactyl/panel/commit/fe0c29fc62fefe354c9ab8936dfe30fdb586a896"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/reviactyl/panel","events":[{"introduced":"7fe69b32524018df04d793272f7bcdc0a964913e"},{"fixed":"62efb006f4096055c312d036c62819d697ff5ac4"}],"database_specific":{"extracted_events":[{"introduced":"26.2.0-beta.1"},{"fixed":"26.2.0-beta.5"}],"source":"AFFECTED_FIELD"}}],"versions":["v26.2.0-beta.4","v26.2.0-beta.3","v26.2.0-beta.2","v26.2.0-beta.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34456.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}