CVE-2025-68954Insufficient Session Expiration in Pterodactyl Wings

CWE-613Insufficient Session Expiration5 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.0%
top 98.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Github.com Pterodactyl WingsPterodactyl PanelPterodactyl Wings
Timeline
PublishedJan 6
Latest updateJan 12

Description

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

NVDpterodactyl/panel< 1.12.0
Packagistpterodactyl/panel< 1.12.0
NVDpterodactyl/wings< 1.12.0

Patches

Patch: github.com

🔴Vulnerability Details

3
OSV
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced in github.com/pterodactyl/wings2026-01-12
GHSA
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced2026-01-06
OSV
Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced2026-01-06

🕵️Threat Intelligence

1
Wiz
CVE-2025-68954 Impact, Exploitability, and Mitigation Steps | Wiz