Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.2
Pterodactyl Panel Exposes Server Configs and Data to Malicious Access
CVE-2026-26016
GHSA-g7vw-f8p5-c728
Summary
A security flaw in Pterodactyl Panel allows unauthorized access to server configurations and data. This means that a malicious user with a secret token can view and manipulate other servers, potentially exposing sensitive information. To stay safe, update your Pterodactyl Panel to the latest version, and ensure all nodes have strong access controls in place.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| pterodactyl | panel | <= 1.12.1 | – |
Original title
Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
Original description
### Summary
A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with.
Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes.
_This vulnerability requires a user to acquire a secret access token for a node. We rated this issue based on potential worst outcome. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token._
### Details
1. The Remote API endpoint `GET /api/remote/servers/{uuid}` fetches a server by UUID and returns its complete configuration without verifying that the requesting node owns the server.
2. Both failure() and success() methods in `ServerTransferController` fetch servers by UUID without verifying node ownership.
3. Missing authorization checks in `ServerInstallController` allow any authenticated Wings node to retrieve egg installation scripts (containing deployment secrets) and manipulate the installation status of servers belonging to other nodes.
### Impact
A single compromised Wings node daemon token (stored in plaintext at `/etc/pterodactyl/config.yml`) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token.
Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss.
A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with.
Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes.
_This vulnerability requires a user to acquire a secret access token for a node. We rated this issue based on potential worst outcome. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token._
### Details
1. The Remote API endpoint `GET /api/remote/servers/{uuid}` fetches a server by UUID and returns its complete configuration without verifying that the requesting node owns the server.
2. Both failure() and success() methods in `ServerTransferController` fetch servers by UUID without verifying node ownership.
3. Missing authorization checks in `ServerInstallController` allow any authenticated Wings node to retrieve egg installation scripts (containing deployment secrets) and manipulate the installation status of servers belonging to other nodes.
### Impact
A single compromised Wings node daemon token (stored in plaintext at `/etc/pterodactyl/config.yml`) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token.
Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss.
nvd CVSS3.1
8.1
nvd CVSS4.0
9.2
Vulnerability type
CWE-283
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026