CVE-2026-35202
Database Limit Bypass in Pterodactyl Panel
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pterodactyl | pterodactyl_client_api | to 1.12.3 (exc) |
| pterodactyl | pterodactyl_panel | to 1.12.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-35202 is a vulnerability in the Pterodactyl Panel, a game server management tool, where a logic flaw in the database allocation system allows users to bypass their assigned limits for creating databases.
The issue arises because the database locking mechanism intended to prevent concurrent database creation is broken. Specifically, the code uses Laravel's lockForUpdate() method incorrectly, which only configures a query builder but does not execute it, making the lock ineffective.
As a result, multiple simultaneous requests can bypass the limit checks, allowing users to create more databases than they are permitted.
How can this vulnerability impact me? :
This vulnerability can allow malicious or unauthorized users to exceed their assigned database allocation limits by creating more databases than allowed.
Such behavior can disrupt the web interface and affect system availability, potentially leading to resource exhaustion or denial of service conditions.
However, the impact on confidentiality and integrity is limited, and the overall severity score is low (CVSS 2.3).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from a logic flaw in the Pterodactyl Panel's database allocation mechanism, specifically due to ineffective locking in the DatabaseController.php file. Detection involves monitoring for abnormal or excessive database creation requests that bypass assigned limits.
Since the issue is related to concurrent requests bypassing the limit check, you can detect it by observing multiple simultaneous database creation attempts from the same user or server.
There are no specific commands provided in the resources to detect this vulnerability directly. However, you can monitor logs for unusual database creation activity or use database query logs to identify multiple rapid creation requests.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Pterodactyl Panel to version 1.12.3 or later, where this vulnerability has been patched.
Until the upgrade can be applied, consider implementing additional throttling or rate-limiting on database creation requests to prevent abuse of the broken locking mechanism.
Review and monitor user permissions to ensure that users cannot exceed their assigned database allocation limits through concurrent requests.