Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Pterodactyl Panel: Active SFTP sessions persist after account deletion or password change
GHSA-hr7j-63v7-vj7g
Summary
Using Pterodactyl Panel, deleting a user or changing their password doesn't immediately end existing SFTP connections. This means someone could still access your server's files even after you think you've revoked their access. To fix this, check for active SFTP sessions after revoking access and manually close any connections you find.
What to do
- Update pterodactyl panel to version 1.12.1.
- Update github.com pterodactyl to version 1.12.1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| pterodactyl | panel | <= 1.12.1 | 1.12.1 |
| github.com | pterodactyl | <= 1.12.1 | 1.12.1 |
Original title
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change
Original description
### Summary
Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.
This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.
### Details
When a user with SFTP access is deleted from the Pterodactyl Panel or when the user's password is changed while one or more SFTP connections are active, those existing connections remain fully functional.
Neither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.
This behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.
This suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.
### PoC
Scenario 1: Account deletion
1. Create a user with SFTP access to a server.
2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla).
3. Keep the SFTP session open and active.
4. Delete the user account from the Pterodactyl Panel.
5. Continue performing file operations through the already-established SFTP connection.
Result:
The SFTP session remains active and usable despite the user account being deleted.
Scenario 2: Password change
1. Create a user with SFTP access to a server.
2. Establish an active SFTP connection.
3. Change the user's password (including via administrator panel).
4. Continue performing file operations using the existing SFTP connection.
Result:
The SFTP session remains active and usable even after the password has been changed.
### Impact
This issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue
Impacted parties:
1. Server administrators
2. Hosting providers using Pterodactyl Panel
Security impact:
Deleted users may retain filesystem access longer than intended, which can lead to:
1. Unauthorized data access
2. Data modification or deletion
3. Compliance and security policy violations
Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.
This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.
### Details
When a user with SFTP access is deleted from the Pterodactyl Panel or when the user's password is changed while one or more SFTP connections are active, those existing connections remain fully functional.
Neither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.
This behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.
This suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.
### PoC
Scenario 1: Account deletion
1. Create a user with SFTP access to a server.
2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla).
3. Keep the SFTP session open and active.
4. Delete the user account from the Pterodactyl Panel.
5. Continue performing file operations through the already-established SFTP connection.
Result:
The SFTP session remains active and usable despite the user account being deleted.
Scenario 2: Password change
1. Create a user with SFTP access to a server.
2. Establish an active SFTP connection.
3. Change the user's password (including via administrator panel).
4. Continue performing file operations using the existing SFTP connection.
Result:
The SFTP session remains active and usable even after the password has been changed.
### Impact
This issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue
Impacted parties:
1. Server administrators
2. Hosting providers using Pterodactyl Panel
Security impact:
Deleted users may retain filesystem access longer than intended, which can lead to:
1. Unauthorized data access
2. Data modification or deletion
3. Compliance and security policy violations
ghsa CVSS4.0
7.5
Vulnerability type
CWE-284
Improper Access Control
CWE-613
Published: 17 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026