CVE-2026-21696Uncontrolled Resource Consumption in Pterodactyl Wings

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or Throttling5 documents4 sources
Severity
8.3HIGHNVD
EPSS
0.1%
top 81.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Github.com Pterodactyl WingsPterodactyl Wings
Timeline
PublishedJan 19
Latest updateFeb 3

Description

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the ma

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

Affected Packages3 packages

NVDpterodactyl/wings1.7.01.12.0
Gogithub.com/pterodactyl_wings1.7.01.12.0
CVEListV5pterodactyl/wings>= 1.7.0, < 1.12.0

🔴Vulnerability Details

3
OSV
Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered in github.com/pterodactyl/wings2026-02-03
OSV
Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered2026-01-20
GHSA
Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered2026-01-20

🕵️Threat Intelligence

1
Wiz
CVE-2026-21696 Impact, Exploitability, and Mitigation Steps | Wiz