CVE-2026-35202
published 2026-06-02CVE-2026-35202: Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass…
PriorityP416low2.3CVSS 4.0
AVNACLATPPRLUINVCNVINVALSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.21%
11.5th percentile
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pterodactyl | panel | < 1.12.3 | 1.12.3 |
| pterodactyl | panel | >= 0 < 1.12.3 | 1.12.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
pterodactyl panel up to 1.12.2 Pterodactyl Client API toctou (GHSA-fgmm-w5cx-vrfw)
vuldb·2026-06-03·CVSS 2.3
CVE-2026-35202 [LOW] pterodactyl panel up to 1.12.2 Pterodactyl Client API toctou (GHSA-fgmm-w5cx-vrfw)
A vulnerability classified as problematic has been found in pterodactyl panel up to 1.12.2. Affected is an unknown function of the component Pterodactyl Client API. This manipulation causes time-of-check time-of-use.
The identification of this vulnerability is CVE-2026-35202. It is possible to initiate the attack remotely. There is no exploit available.
It is recommended to upgrade the affected component.
GHSA
Pterodactyl has a database resource limit bypass via race condition in Client API
ghsa·2026-05-26
CVE-2026-35202 [LOW] CWE-367 Pterodactyl has a database resource limit bypass via race condition in Client API
Pterodactyl has a database resource limit bypass via race condition in Client API
### Summary
The Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything.
### Details
Inside `DatabaseController.php`, the code tries to prevent multiple databases from being created at once by calling `$server->databases()->lockForUpdate()`. In Laravel, this just configures a query builder but never actually sends a command to the database because it’s missing a terminal method like `count()` or `get()`. It’s basically a no-op that does nothing.
Since there’s no real lock, multiple requests hitting the endpoint at the exact
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-02
Published