Description
Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes. This vulnerability requires a user to acquire a secret access token for a node. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token. A single compromised Wings node daemon token (stored in plaintext at `/etc/pterodactyl/config.yml`) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token. Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss. Users should upgrade to version 1.12.1 to receive a fix.
Published: 2026-02-19
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Data Exposure and Lateral Access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Pterodactyl’s Wings control plane arises from an improperly enforced authorization check on several API endpoints. Any authenticated node, identified only by its secret token, can request information about any server across the entire panel, ignoring the intended node‑server relationship. This omission permits attackers to retrieve installation scripts that may contain sensitive values, alter installation and transfer statuses, and delete servers on remote nodes. Because the affected endpoints expose configuration data and control commands, an attacker can leverage the accessible information to move laterally, exfiltrate secrets, and trigger destructive actions such as permanent data loss. The weakness is classified as unauthorized access (CWE‑283) and secret information disclosure (CWE‑639).

Affected Systems

The issue affects the Pterodactyl Panel (Panel 1.12.1 and earlier), specifically the Wings server control plane component. Any node that possesses a secret access token stored in the plaintext file /etc/pterodactyl/config.yml can exploit the flaw. The flaw allows a node to fetch details and manipulate servers that belong to other nodes, thereby violating the principle of least privilege for all servers managed by the panel.

Risk and Exploitability

The CVSS score of 9.2 marks this flaw as critical, reflecting the high potential impact on confidentiality, integrity, and availability. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild, yet the absence of this vulnerability from the CISA KEV catalog does not diminish the need for remediation. Attackers must first obtain a valid node secret token, which is the prerequisite for leveraging the vulnerable endpoints. Once in possession of such a token, an adversary can perform remote API calls to read or modify any server configuration, exclude proper authorization checks, and potentially orchestrate large‑scale destructive actions across the cluster.

Generated by OpenCVE AI on April 17, 2026 at 18:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pterodactyl to version 1.12.1 or later to apply the vendor’s fix for the missing authorization checks.
  • Secure the node secret token by restricting filesystem permissions to the Wire daemon only and consider encrypting or rotating the token on a regular basis.
  • Limit network exposure of the Wings API by configuring firewall rules or a reverse proxy that permits traffic only from trusted node host addresses and blocks direct public access.

Generated by OpenCVE AI on April 17, 2026 at 18:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g7vw-f8p5-c728 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Pterodactyl
Pterodactyl panel
Vendors & Products Pterodactyl
Pterodactyl panel

Thu, 19 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Description Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes. This vulnerability requires a user to acquire a secret access token for a node. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token. A single compromised Wings node daemon token (stored in plaintext at `/etc/pterodactyl/config.yml`) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token. Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss. Users should upgrade to version 1.12.1 to receive a fix.
Title Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
Weaknesses CWE-283
CWE-639
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L'}

Subscriptions

Pterodactyl Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:42:39.382Z

Reserved: 2026-02-09T21:36:29.554Z

Link: CVE-2026-26016

cve-icon Vulnrichment

Updated: 2026-02-20T15:29:44.516Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T17:24:50.293

Modified: 2026-02-20T19:08:53.683

Link: CVE-2026-26016

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses