Pterodactyl is an open-source game server management panel, with Wings acting as its server control plane. Prior to version 1.12.1, a critical vulnerability (CVE-2026-26016) exists due to missing authorization checks in multiple Wings controllers. Specifically, the system fails to verify that the node requesting server information is the same node to which the server belongs. This flaw allows any authenticated Wings node possessing a node secret token to fetch information about any server on the panel, regardless of node association. The node secret token, stored in plaintext at /etc/pterodactyl/config.yml, acts as a bearer token granting access to sensitive server data and control functions. Exploiting this vulnerability, an attacker can retrieve server installation scripts containing secrets, manipulate installation and transfer statuses of servers on other nodes, and trigger false transfer success events that cause permanent deletion of server data on the source node. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-283 (Improper Authorization). Although exploitation requires possession of a node secret token, once obtained, the attacker gains broad access to all servers managed by the panel, enabling lateral movement, data exfiltration, and destructive operations. No public exploits are known in the wild yet. The vulnerability has a CVSS 4.0 score of 9.2 (critical), reflecting its high impact and network attack vector without user interaction or privileges. The recommended mitigation is to upgrade to Pterodactyl panel version 1.12.1, which implements proper authorization checks to ensure nodes can only access their own servers.

This vulnerability poses a severe risk to organizations using Pterodactyl for game server management. If an attacker compromises a single Wings node secret token, they gain unauthorized access to all servers managed by the panel, regardless of node boundaries. This can lead to exposure of sensitive configuration data, including installation scripts that may contain secrets or credentials. Attackers can manipulate server installation and transfer statuses, potentially causing service disruptions or permanent data loss by triggering false transfer completions. The ability to move laterally across nodes increases the attack surface and complicates containment efforts. Organizations may face operational downtime, loss of critical game server data, and potential leakage of confidential information. The vulnerability undermines the integrity and availability of managed servers, impacting service reliability and user trust. Given the critical severity and ease of exploitation once a token is obtained, the threat is significant for any entity relying on Pterodactyl for server orchestration.

1. Immediate upgrade to Pterodactyl panel version 1.12.1 or later to apply the official fix that enforces proper authorization checks between nodes and servers. 2. Secure storage of Wings node secret tokens: move tokens out of plaintext configuration files where possible, restrict file permissions strictly, and consider using environment variables or secret management tools. 3. Implement strict access controls and monitoring on nodes to prevent unauthorized access to the /etc/pterodactyl/config.yml file. 4. Regularly audit and rotate node secret tokens to limit exposure duration if compromised. 5. Employ network segmentation to isolate Wings nodes and limit lateral movement opportunities. 6. Monitor logs for unusual API requests or server transfer activities that could indicate exploitation attempts. 7. Educate administrators on the sensitivity of node tokens and enforce strong operational security practices. 8. Consider deploying intrusion detection systems to detect anomalous behavior related to server data access or transfer manipulations. 9. Backup server data regularly and verify backup integrity to recover from potential data loss caused by false transfer triggers.