Description
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue.
Published: 2026-01-19
Score: 8.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service from repeated activity log uploads exhausting disk space
Action: Immediate Patch
AI Analysis

Impact

Wings, the server‑control plane of Pterodactyl, fails to account for SQLite’s maximum parameter limit when deleting processed activity logs. When the delete query attempts to delete more than 32,766 entries, SQLite returns an error and no entries are removed. Those entries are then repeatedly re‑processed and sent to the panel each cron run. An attacker with low privileges can cause this condition, leading to an ever‑growing stream of duplicated activity records and eventual disk exhaustion on the panel’s database server. The weakness lies in resource exhaustion (CWE‑770) and inadequate validation of operation size (CWE‑400).

Affected Systems

Product: Pterodactyl Wings – the Wings component of the Pterodactyl game‑server management panel. Affected releases include all versions from 1.7.0 up to, but not including, 1.12.0; any deployment of Wings in this range is susceptible.

Risk and Exploitability

The CVSS score of 8.3 indicates a high severity vulnerability, while the EPSS score of less than 1% suggests a currently low probability of exploitation. The attack vector requires only a low‑privileged user on the Wings instance, and the vulnerability can be exploited by causing the cron job to repeatedly attempt a delete query that exceeds SQLite’s parameter limit—triggering a logic error that leaves the logs undeleted. The result is persistent re‑upload of the same data until disk space is exhausted. This vulnerability is not listed in the CISA KEV catalog, but its severity warrants prompt remediation.

Generated by OpenCVE AI on April 18, 2026 at 05:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Wings to version 1.12.0 or later to apply the fixed logic that respects SQLite’s maximum parameter limit.
  • Limit the privileges of users who can execute the activity‑log processing cron to prevent unintended triggering of the delete operation.
  • Monitor the disk usage on the panel database server and set alerts or quotas to detect rapid growth from duplicated logs, ensuring that disk exhaustion does not compromise availability.

Generated by OpenCVE AI on April 18, 2026 at 05:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2497-gp99-2m74 Pterodactyl endlessly reprocesses/reuploads activity log data due to SQLite max parameters limit not being considered
History

Mon, 02 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
CPEs cpe:2.3:a:pterodactyl:wings:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Tue, 20 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Pterodactyl
Pterodactyl wings
Vendors & Products Pterodactyl
Pterodactyl wings

Mon, 19 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Description Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels' database server runs out of disk space. Version 1.12.0 fixes the issue.
Title Endless reprocessing/reupload of activity log data due to SQLite max parameters limit not being considered
Weaknesses CWE-400
References
Metrics cvssV4_0

{'score': 8.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H'}

Subscriptions

Pterodactyl Wings
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T17:27:48.498Z

Reserved: 2026-01-02T18:45:27.397Z

Link: CVE-2026-21696

cve-icon Vulnrichment

Updated: 2026-01-20T17:27:42.774Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T20:15:49.107

Modified: 2026-02-02T20:40:21.660

Link: CVE-2026-21696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses