Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-26016

Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
Back to all
CVE

CVE-2026-26016

Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization

Summary

A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with.

Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes.

This vulnerability requires a user to acquire a secret access token for a node. We rated this issue based on potential worst outcome. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token.

Details

  1. The Remote API endpoint GET /api/remote/servers/{uuid} fetches a server by UUID and returns its complete configuration without verifying that the requesting node owns the server.
  2. Both failure() and success() methods in ServerTransferController fetch servers by UUID without verifying node ownership.
  3. Missing authorization checks in ServerInstallController allow any authenticated Wings node to retrieve egg installation scripts (containing deployment secrets) and manipulate the installation status of servers belonging to other nodes.

Impact

A single compromised Wings node daemon token (stored in plaintext at /etc/pterodactyl/config.yml) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token.

Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
9.2
-
4.0
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728, https://nvd.nist.gov/vuln/detail/CVE-2026-26016, https://github.com/pterodactyl/panel, https://github.com/pterodactyl/panel/releases/tag/v1.12.1

Severity

8.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.1
EPSS Probability
0.00041%
EPSS Percentile
0.12468%
Introduced Version
0
Fix Available
1.12.1

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading