CVE-2026-21696 is a resource exhaustion vulnerability classified under CWE-400, affecting Pterodactyl Wings, the server control plane component of the open-source Pterodactyl game server management panel. The vulnerability exists in versions from 1.7.0 up to but not including 1.12.0. Wings uses an SQLite database to store activity logs and periodically deletes processed entries. However, when deleting entries, Wings issues a single SQL query that attempts to delete more entries than SQLite's maximum parameter limit of 32,766 (introduced in SQLite 3.32.0). If the number of entries to delete exceeds this limit, SQLite returns an error, causing Wings to skip the deletion entirely. Consequently, these entries remain in the database and are reprocessed and resent to the panel repeatedly during each cron job execution. Each iteration adds new activity entries to the batch, causing the payload to grow exponentially. This behavior leads to uncontrolled resource consumption, specifically disk space exhaustion on the panel's database server, effectively causing a denial-of-service condition. The vulnerability can be triggered by a low-privileged user without requiring authentication or user interaction, increasing its risk profile. The issue was addressed in Wings version 1.12.0 by ensuring deletion queries respect SQLite's parameter limits, likely through batching or pagination of delete operations. No known exploits are reported in the wild as of the publication date. The CVSS 4.0 base score is 8.3 (high), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability.

For European organizations using Pterodactyl Wings versions between 1.7.0 and 1.11.x, this vulnerability poses a significant risk of denial-of-service through disk space exhaustion on the panel's database server. This can disrupt game server management operations, causing downtime or degraded service availability for hosted game servers. The repeated flooding of activity logs can also increase database load and network traffic between Wings and the panel, potentially impacting other services sharing the same infrastructure. Since exploitation requires only low privileges and no user interaction, insider threats or compromised low-privileged accounts could trigger the attack. The impact extends to any dependent services relying on the panel's availability, including customer-facing game servers and administrative tools. Recovery from such an attack may require manual database cleanup or restoring from backups, increasing operational overhead. Given the popularity of Pterodactyl in the gaming community and among hosting providers, the vulnerability could affect a broad range of organizations, from small gaming communities to large-scale hosting providers in Europe.

The primary mitigation is to upgrade Pterodactyl Wings to version 1.12.0 or later, where the issue is fixed. For organizations unable to upgrade immediately, implement the following specific mitigations: 1) Modify the Wings source code or configuration to batch delete operations into chunks smaller than SQLite's max parameter limit (e.g., delete entries in groups of 30,000 or fewer). 2) Monitor the size and growth rate of the Wings activity log database and set alerts for abnormal increases in disk usage or log volume. 3) Restrict low-privileged user permissions to limit the ability to generate excessive activity logs or trigger the vulnerability. 4) Regularly archive and purge old activity logs manually to prevent accumulation. 5) Isolate the Wings database server on dedicated storage with sufficient disk capacity and implement quotas or disk usage monitoring to prevent full disk conditions. 6) Employ network segmentation and access controls to limit exposure of Wings and the panel to untrusted users. These targeted mitigations reduce the risk of exploitation and limit the impact until a full upgrade can be performed.