Reviactyl game server management panels are vulnerable to complete account takeover via a flawed OAuth authentication flow that allows attackers to hijack accounts using only a victim's email address.

This vulnerability resides in the OAuth authentication logic, specifically where social accounts are automatically linked based on email matches. An unauthenticated attacker can register a social provider account (Google, GitHub, Discord) with a target's email to gain full access to the victim's Reviactyl account.

A successful exploit results in a total account takeover, granting the attacker full administrative control over game servers and sensitive user data. Given the CVSS score of 9.1, this represents a critical risk to organizational integrity, potentially leading to data exfiltration, service disruption, and significant reputational damage.

Immediate Action: Administrators must immediately upgrade Reviactyl installations to version 26.2.0-beta.5 or later to resolve the logic flaw in the OAuth flow.

Proactive Monitoring: Review authentication logs for unusual social login patterns, specifically looking for new social account linkings that do not correlate with known user activity.

Compensating Controls: If an immediate update is not possible, consider disabling OAuth social login providers temporarily and enforcing standard password-based authentication.

Public Exploit Available: No

The critical nature of this account takeover vulnerability necessitates immediate action. Organizations utilizing Reviactyl should prioritize the application of version 26.2.0-beta.5 to prevent unauthorized access to their server management infrastructure.