Description
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.
Published: 2026-06-02
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A race condition in the Client API allows an authenticated user to bypass assigned database allocation limits by exploiting a broken locking mechanism. The flaw, identified as CWE‑367 and causing potential resource exhaustion (CWE‑770), lets a user create more database resources than intended, which could lead to service degradation or denial of service if the limit is exceeded over time.

Affected Systems

Pterodactyl Panel versions earlier than 1.12.3 are affected. Users running any older release are vulnerable until they upgrade to version 1.12.3 or later; no further version details are supplied.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and there is no EPSS data or listing in CISA KEV, suggesting limited public exploitation. An attacker would need to be an authenticated API user, implying the risk is confined to internal users who could abuse the API. The lack of a robust locking mechanism means the flaw can be reproduced without special conditions, but the impact remains limited to resource over‑allocation rather than full system compromise.

Generated by OpenCVE AI on June 3, 2026 at 03:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Pterodactyl Panel to 1.12.3 or a later release that fixes the race condition.
  • Restrict API usage to trusted accounts and apply least‑privilege permissions to prevent accidental over‑allocation.
  • Monitor database usage statistics for sudden increases and set alerts to detect potential abuse.

Generated by OpenCVE AI on June 3, 2026 at 03:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fgmm-w5cx-vrfw Pterodactyl has a database resource limit bypass via race condition in Client API
History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.
Title Pterodactyl has a database resource limit bypass via race condition in Client API
Weaknesses CWE-367
CWE-770
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T19:03:46.792Z

Reserved: 2026-04-01T18:48:58.937Z

Link: CVE-2026-35202

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:35.143

Modified: 2026-06-02T20:16:35.143

Link: CVE-2026-35202

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses