CVE-2026-26016
Authorization Bypass in Pterodactyl Wings Allows Data Exposure
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pterodactyl | panel | to 1.12.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-283 | The product does not properly verify that a critical resource is owned by the proper entity. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Wings, the server control plane for Pterodactyl, a game server management panel. Before version 1.12.1, there was a missing authorization check in multiple controllers that allowed any user with access to a node secret token to retrieve information about any server on the Pterodactyl instance, even if the server belonged to a different node.
The issue arises because the system does not verify that the node requesting server data is the same node associated with that server. As a result, an authenticated Wings node with a secret token can access sensitive server installation scripts, manipulate installation and transfer statuses of servers on other nodes, and potentially cause permanent data loss.
To exploit this vulnerability, an attacker must obtain a Wings secret access token, which is stored in plaintext in the configuration file. Once compromised, this token grants access to sensitive configuration data for all servers on the panel, enabling lateral movement, data exfiltration, and destructive actions.
Upgrading to version 1.12.1 fixes this issue by adding the necessary authorization checks.
How can this vulnerability impact me? :
If exploited, this vulnerability can have severe impacts including unauthorized access to sensitive server configuration data across all nodes in the Pterodactyl instance.
- Attackers can retrieve server installation scripts that may contain secret values.
- They can manipulate the installation status of servers belonging to other nodes.
- They can manipulate the transfer status of servers, potentially causing permanent data loss by triggering false transfer success events.
- Attackers can move laterally through the system, send excessive notifications, destroy server data, and exfiltrate secrets.
Overall, the vulnerability can lead to data breaches, service disruption, and loss of critical server data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade to Pterodactyl Wings version 1.12.1 or later, which contains the fix for the missing authorization checks.
Additionally, protect the Wings secret access token stored in plaintext at /etc/pterodactyl/config.yml, as compromise of this token allows unauthorized access to sensitive server data.