CVE-2025-68954
published 2026-01-06CVE-2025-68954: Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a…
PriorityP431medium5.4CVSS 3.1
AVNACLPRLUINSUCLILAN
EPSS
0.22%
12.2th percentile
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | pterodactyl_wings | >= 0 < 1.12.0 | 1.12.0 |
| pterodactyl | panel | < 1.12.0 | 1.12.0 |
| pterodactyl | panel | >= 0 < 1.12.0 | 1.12.0 |
| pterodactyl | wings | < 1.12.0 | 1.12.0 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv4.07.5HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced in github.com/pterodactyl/wings
osv·2026-01-12
CVE-2025-68954 Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced in github.com/pterodactyl/wings
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced in github.com/pterodactyl/wings
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced in github.com/pterodactyl/wings
GHSA
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
ghsa·2026-01-06
CVE-2025-68954 [HIGH] CWE-613 Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
### Summary
Pterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.
### Details
When a user opens a connection to a server using the Wings SFTP server instance the permissions are checked and returned from the authentication API call made to the Panel. However, credentials are not checked again after the initial handshake. Thus, if a user is removed from a server in the panel or have their permissions modified, those permissions are not updated in the SFTP co
OSV
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
osv·2026-01-06
CVE-2025-68954 [HIGH] Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced
### Summary
Pterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked.
### Details
When a user opens a connection to a server using the Wings SFTP server instance the permissions are checked and returned from the authentication API call made to the Panel. However, credentials are not checked again after the initial handshake. Thus, if a user is removed from a server in the panel or have their permissions modified, those permissions are not updated in the SFTP co
No detection rules found.
No public exploits indexed.
2026-01-06
Published