Pterodactyl Panel vulnerabilities

CVE-2026-26016 [CRITICAL] CWE-283 CVE-2026-26016: Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different no

CVE-2025-69199 [HIGH] CWE-400 CVE-2025-69199: Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the net

CVE-2025-69198 [MEDIUM] CWE-400 CVE-2025-69198: Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versi

CVE-2025-68954 [HIGH] CWE-613 CVE-2025-68954: Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not r Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after the

CVE-2025-69197 [MEDIUM] CWE-287 CVE-2025-69197: Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TO Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below allow TOTP to be used multiple times during its validity window. Users with 2FA enabled are prompted to enter a token during sign-in, and afterward it is not sufficiently marked as used in the system. This allows an attacker who intercepts that token to use i

CVE-2025-49132 [CRITICAL] CWE-94 CVE-2025-49132: Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, r

CVE-2024-49762 [MEDIUM] CWE-313 CVE-2024-49762: Pterodactyl is a free, open-source game server management panel. When a user disables two-factor aut Pterodactyl is a free, open-source game server management panel. When a user disables two-factor authentication via the Panel, a `DELETE` request with their current password in a query parameter will be sent. While query parameters are encrypted when using TLS, many webservers (including ones officially documented for use with Pterodactyl) will log

CVE-2024-34067 [MEDIUM] CWE-79 CVE-2024-34067: Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Impor Pterodactyl is a free, open-source game server management panel built with PHP, React, and Go. Importing a malicious egg or gaining access to wings instance could lead to cross site scripting (XSS) on the panel, which could be used to gain an administrator account on the panel. Specifically, the following things are impacted: Egg Docker images and Eg

CVE-2021-41273 [MEDIUM] CWE-352 CVE-2021-41273: Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to i Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. Due to improperly configured CSRF protections on two routes, a malicious user could execute a CSRF-based attack against the following endpoints: Sending a test email and Generating a node auto-deployment token. At no point would any data be exposed to the mal

CVE-2021-41176 [MEDIUM] CWE-352 CVE-2021-41176: Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affec Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves

CVE-2021-41129 [HIGH] CWE-502 CVE-2021-41129: Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malici Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. A malicious user can modify the contents of a `confirmation_token` input during the two-factor authentication process to reference a cache value not associated with the login attempt. In rare cases this can allow a malicious actor to authenticate as a random us

CVE-2019-1020002 [HIGH] CWE-203 CVE-2019-1020002: Pterodactyl before 0.7.14 with 2FA allows credential sniffing. Pterodactyl before 0.7.14 with 2FA allows credential sniffing.