Github.Com Pterodactyl Wings vulnerabilities

CVE-2026-21696 [HIGH] CWE-400 Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered ### Summary Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records ### Details After wings sends ac

CVE-2025-69199 [HIGH] CWE-400 Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks Pterodactyl websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks ### Summary Websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host

CVE-2025-68954 [HIGH] CWE-613 Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced Pterodactyl does not revoke SFTP access when server is deleted or permissions reduced ### Summary Pterodactyl does not revoke _active_ SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permi

CVE-2024-34066 [HIGH] CWE-552 Pterodactyl Wings vulnerable to Arbitrary File Write/Read Pterodactyl Wings vulnerable to Arbitrary File Write/Read ### Impact If the Wings token is leaked either by viewing the node configuration or posting it accidentally somewhere, an attacker can use it to gain arbitrary file write and read access on the node the token is associated to. ### Workarounds Enabling the `ignore_panel_config_updates` option or updating to the latest version of Wings are the only k

CVE-2024-34068 [MEDIUM] CWE-284 Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull Pterodactyl Wings vulnerable to Server-Side Request Forgery during remote file pull ### Impact An authenticated user who has access to a game server is able to bypass the previously implemented access control (https://github.com/pterodactyl/wings/security/advisories/GHSA-6rg3-8h8x-5xfv) that prevents accessing internal endpoints of the node hosting Wings in the pull endpoint. Thi

CVE-2024-27102 [CRITICAL] CWE-22 Pterodactyl Wings vulnerable to improper isolation of server file access Pterodactyl Wings vulnerable to improper isolation of server file access ### Impact This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can potentially be used to access files and directories on the host system. The full scope of impact is exactly unknown, but reading files outside of a server's base directory (sandbox root) is possible. In order to

CVE-2023-32080 [CRITICAL] CWE-250 Wings vulnerable to escape to host from installation container Wings vulnerable to escape to host from installation container ### Impact This vulnerability impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings if a user is able to modify an server's install script or the install script executes code supplied by the user (either through environment variables, or commands that execut

CVE-2023-25168 [CRITICAL] CWE-59 Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following resulting in deletion of files and directories on the host system ### Impact This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can be used to delete files and directories recursively on the host system. This vulnerability can

CVE-2023-25152 [HIGH] CWE-59 Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following Pterodactyl Wings contains UNIX Symbolic Link (Symlink) Following ### Impact This vulnerability impacts anyone running the affected versions of Wings. The vulnerability can be used to create new files and on the host system that previously did not exist, potentially allowing attackers to change their resource allocations, promote their containers to privileged mode, or potentially add ssh authorized

CVE-2021-32699 [MEDIUM] CWE-405 Asymmetric Resource Consumption (Amplification) in Docker containers created by Wings Asymmetric Resource Consumption (Amplification) in Docker containers created by Wings ### Impact All versions of Pterodactyl Wings preior to `1.4.4` are vulnerable to system resource exhaustion due to improper container process limits being defined. A malicious user can consume more resources than intended and cause downstream impacts to other clients on the same hardware, event