CVE-2026-35202
Deferred Deferred - Pending Action
Database Limit Bypass in Pterodactyl Panel

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-35202
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pterodactyl pterodactyl_client_api to 1.12.3 (exc)
pterodactyl pterodactyl_panel to 1.12.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-35202 is a vulnerability in the Pterodactyl Panel, a game server management tool, where a logic flaw in the database allocation system allows users to bypass their assigned limits for creating databases.

The issue arises because the database locking mechanism intended to prevent concurrent database creation is broken. Specifically, the code uses Laravel's lockForUpdate() method incorrectly, which only configures a query builder but does not execute it, making the lock ineffective.

As a result, multiple simultaneous requests can bypass the limit checks, allowing users to create more databases than they are permitted.

Impact Analysis

This vulnerability can allow malicious or unauthorized users to exceed their assigned database allocation limits by creating more databases than allowed.

Such behavior can disrupt the web interface and affect system availability, potentially leading to resource exhaustion or denial of service conditions.

However, the impact on confidentiality and integrity is limited, and the overall severity score is low (CVSS 2.3).

Detection Guidance

This vulnerability arises from a logic flaw in the Pterodactyl Panel's database allocation mechanism, specifically due to ineffective locking in the DatabaseController.php file. Detection involves monitoring for abnormal or excessive database creation requests that bypass assigned limits.

Since the issue is related to concurrent requests bypassing the limit check, you can detect it by observing multiple simultaneous database creation attempts from the same user or server.

There are no specific commands provided in the resources to detect this vulnerability directly. However, you can monitor logs for unusual database creation activity or use database query logs to identify multiple rapid creation requests.

Mitigation Strategies

The primary mitigation step is to upgrade the Pterodactyl Panel to version 1.12.3 or later, where this vulnerability has been patched.

Until the upgrade can be applied, consider implementing additional throttling or rate-limiting on database creation requests to prevent abuse of the broken locking mechanism.

Review and monitor user permissions to ensure that users cannot exceed their assigned database allocation limits through concurrent requests.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35202. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart