CVE-2026-21696
📋 TL;DR
This vulnerability allows low-privileged users to trigger a database flood in Pterodactyl Panel by exploiting Wings' failure to respect SQLite's parameter limit. When Wings attempts to delete more than 32,766 activity log entries in one query, it fails and continuously re-sends the same data, potentially filling the panel's database disk space. Affected systems run Pterodactyl Wings versions 1.7.0 through 1.11.x.
💻 Affected Systems
- Pterodactyl Wings
📦 What is this software?
Wings by Pterodactyl
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service as the panel's database server runs out of disk space, rendering the game server management panel unusable and potentially affecting hosted game servers.
Likely Case
Degraded panel performance and eventual service disruption as database fills with duplicate activity records, requiring manual cleanup and service restart.
If Mitigated
Minimal impact with proper monitoring and disk space alerts allowing intervention before critical failure.
🎯 Exploit Status
Exploitation requires authenticated low-privileged access to generate activity logs. The vulnerability is straightforward to trigger once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.0
Vendor Advisory: https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74
Restart Required: Yes
Instructions:
1. Stop all game servers managed by Wings. 2. Backup Wings configuration and data. 3. Update Wings to version 1.12.0 or later using your package manager or manual installation. 4. Restart Wings service. 5. Verify no activity log processing errors in Wings logs.
🔧 Temporary Workarounds
Manual Activity Log Cleanup
linuxRegularly clean activity logs before they reach 32,766 entries to prevent triggering the SQLite parameter limit.
sudo wings --clean-activity-logs
sudo systemctl restart wings
Reduce Activity Log Retention
linuxConfigure Wings to retain fewer activity log entries by modifying the activity log cleanup schedule.
Edit /etc/pterodactyl/config.yml and reduce activity log retention period
sudo systemctl restart wings
🧯 If You Can't Patch
- Implement strict rate limiting on activity log generation API endpoints
- Monitor database disk usage and set up alerts for rapid growth
🔍 How to Verify
Check if Vulnerable:
Check Wings version: 'wings --version' or examine service logs for SQLite parameter limit errors when processing activity logs.Check Version:
wings --versionVerify Fix Applied:
After updating to 1.12.0+, check that activity log processing completes without SQLite errors and database size remains stable.📡 Detection & Monitoring
Log Indicators:
- SQL logic error: too many SQL variables (1)
- Repeated activity log processing errors
- Rapid growth in panel database size
Network Indicators:
- Unusual volume of activity log uploads to panel
- Increased database connection attempts
SIEM Query:
source="wings.log" AND "too many SQL variables" OR source="panel.log" AND "database disk full"🔗 References
- https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go#L81
- https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go#L86
- https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74
