CVE-2026-26016Unverified Ownership in Panel

CWE-283Unverified OwnershipCWE-639Authorization Bypass Through User-Controlled Key4 documents4 sources
Severity
9.2CRITICALNVD
EPSS
0.1%
top 80.63%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Pterodactyl Panel
Timeline
Latest updateFeb 17
PublishedFeb 19

Description

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Any authent

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L

Affected Packages2 packages

NVDpterodactyl/panel< 1.12.1
Packagistpterodactyl/panel< 1.12.1

🔴Vulnerability Details

2
GHSA
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization2026-02-17
OSV
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization2026-02-17

🕵️Threat Intelligence

1
Wiz
CVE-2026-26016 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-26016 — Unverified Ownership in Panel | cvebase