Primary

Context

Pterodactyl Wings Missing Authorization Check Vulnerability Allows Cross-Node Server Data Access

Vulnerability

Patched

A vulnerability in Pterodactyl Wings prior to version 1.12.1 allows users with a node secret token to access information about any server on the instance, regardless of node association. This issue arises from a lack of authorization checks, enabling authenticated Wings nodes to retrieve server installation scripts and manipulate the installation and transfer statuses of servers on other nodes. The vulnerability requires access to a Wings secret access token, which can be obtained from the node's configuration file.

Impact

Exploitation of this vulnerability allows access to sensitive server configuration data across the Pterodactyl panel, regardless of node ownership. This could lead to unauthorized manipulation of server data, including causing permanent data loss by falsely indicating a server transfer was successful.

Remediation

Users are advised to upgrade to Pterodactyl Wings version 1.12.1.

Added: Feb 19, 2026, 6:20 PM

Updated: Feb 19, 2026, 6:20 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

4.4

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

4.4

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Pterodactyl Wings Missing Authorization Check Vulnerability Allows Cross-Node Server Data Access

Vulnerability

Impact

Remediation

Affected Products

Pterodactyl Panel

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating