CVE-2026-26016
📋 TL;DR
CVE-2026-26016 is an authorization bypass vulnerability in Pterodactyl Panel's Wings control plane that allows any authenticated Wings node to access and manipulate servers belonging to other nodes. This enables attackers with a compromised node token to retrieve sensitive server configuration data, trigger false transfers causing data loss, and move laterally through the system. All Pterodactyl instances running Wings versions before 1.12.1 are affected.
💻 Affected Systems
- Pterodactyl Panel
- Wings (Pterodactyl server control plane)
📦 What is this software?
Panel by Pterodactyl
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all game servers managed by the panel, permanent data loss through false transfer triggers, lateral movement to other nodes, and exfiltration of all server secrets and configurations.
Likely Case
Unauthorized access to server installation scripts containing secrets, manipulation of server statuses, and potential data destruction on other nodes by an attacker with a single compromised node token.
If Mitigated
Limited impact if proper network segmentation and token protection are in place, but still allows unauthorized access to server data across nodes.
🎯 Exploit Status
Exploitation requires obtaining a valid node access token, but once obtained, the authorization bypass is straightforward to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.12.1
Vendor Advisory: https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728
Restart Required: Yes
Instructions:
1. Backup your Pterodactyl configuration and databases. 2. Update Pterodactyl Panel to version 1.12.1 using your preferred update method. 3. Update all Wings instances to version 1.12.1. 4. Restart all Wings services. 5. Verify the fix by checking version numbers.
🔧 Temporary Workarounds
Restrict Node Token Access
linuxImplement strict file permissions on node configuration files and monitor access to node tokens.
chmod 600 /etc/pterodactyl/config.yml
chown root:root /etc/pterodactyl/config.yml
Network Segmentation
allIsolate Wings nodes from each other to limit lateral movement potential.
🧯 If You Can't Patch
- Implement strict access controls on /etc/pterodactyl/config.yml files across all nodes
- Monitor all API calls between Wings nodes and the panel for unauthorized cross-node access patterns
🔍 How to Verify
Check if Vulnerable:
Check Wings version with: wings --version. If version is below 1.12.1, the system is vulnerable.Check Version:
wings --versionVerify Fix Applied:
Verify Wings version is 1.12.1 or higher with: wings --version. Test that nodes can only access their own assigned servers.📡 Detection & Monitoring
Log Indicators:
- Unauthorized API calls from nodes accessing servers not assigned to them
- Multiple failed transfer status updates
- Unexpected server deletion events
Network Indicators:
- Unusual API traffic patterns between nodes and the panel
- Cross-node server data requests
SIEM Query:
source="pterodactyl" AND (event="server_access" OR event="transfer_status") AND src_node!=assigned_node