CVE-2026-21696 is an uncontrolled resource consumption vulnerability (CWE-400) affecting Wings, the server control plane component of the Pterodactyl open-source game server management panel. The flaw exists in versions from 1.7.0 up to but not including 1.12.0. Wings uses an SQLite database to store activity log entries. When processing these logs, Wings attempts to delete processed entries in bulk using a single SQL query. However, it does not account for SQLite's maximum parameter limit of 32,766 variables per query (as of SQLite 3.32.0). If the deletion query exceeds this limit, SQLite returns an error and no entries are deleted. Consequently, these entries remain in the database and are reprocessed and resent to the panel repeatedly during each cron job execution. Each cycle adds new activity entries, causing the volume of data sent to grow exponentially. Over time, this behavior leads to the panel's database server running out of disk space, resulting in denial of service conditions. The vulnerability can be triggered by a low-privileged user without authentication or user interaction, increasing its risk. The issue was addressed and fixed in Wings version 1.12.0 by properly handling the SQLite parameter limit during deletion operations. No known exploits are reported in the wild as of the publication date. The CVSS 4.0 score is 8.3 (high severity) reflecting network attack vector, low complexity, no privileges or user interaction required, and high impact on availability.

For European organizations using Pterodactyl Wings versions between 1.7.0 and 1.12.0, this vulnerability poses a significant risk of denial of service due to disk space exhaustion on the panel's database server. This can disrupt game server management operations, impacting service availability and potentially causing downtime for hosted game servers. The repeated flooding of activity logs can also degrade performance and increase operational overhead. Since the vulnerability can be exploited by low-privileged users without authentication, insider threats or compromised accounts could trigger the attack. This risk is particularly relevant for gaming companies, hosting providers, and esports organizations relying on Pterodactyl for server orchestration. The impact extends to any dependent services or customers relying on the availability of these game servers. Additionally, recovery from disk exhaustion may require manual intervention and data cleanup, increasing operational costs and downtime.

The primary mitigation is to upgrade all affected Wings installations to version 1.12.0 or later, where the issue is fixed. Until upgrades can be applied, organizations should implement monitoring of disk space usage on the panel's database server to detect abnormal growth early. Rate limiting or restricting activity log generation by low-privileged users can reduce the risk of exploitation. Applying network segmentation and access controls to limit which users can interact with Wings can also help. Regularly backing up the database and logs ensures recovery options in case of disk exhaustion. Administrators should audit user permissions to minimize the number of users capable of generating excessive activity logs. Finally, reviewing and tuning cron job frequency may reduce the impact of repeated processing cycles.