CVE-2026-26016: Critical Pterodactyl API Flaw (CVSS 9.2) Exposes Entire Server Networks

Pterodactyl is a highly popular free and open-source game server management panel. Designed with security in mind and built using PHP, React, and Go, Pterodactyl is trusted by administrators worldwide to run game servers in isolated Docker containers while providing an intuitive UI.

However, a newly disclosed critical vulnerability, tracked as CVE-2026-26016, threatens to shatter that isolation. With a CVSS score of 9.2, the flaw allows rogue actors who have compromised a single node to break out of their sandbox and manipulate or destroy servers across the entire infrastructure.

The vulnerability is categorized as a “Cross-Node Server Configuration Disclosure via Remote API Missing Authorization”. In a healthy Pterodactyl environment, “Wings” (the server control node daemon) requires a valid, secret access token to interact with the main panel’s endpoints.

The issue arises because several critical API endpoints completely fail to verify if the node requesting the data actually owns the server it is asking about. The advisory details three specific failure points:

1. The Remote API endpoint GET /api/remote/servers/{uuid} returns a server’s complete configuration without checking if the requesting node owns that server.
2. The failure() and success() methods within the ServerTransferController fetch servers by UUID without verifying node ownership.
3. The ServerInstallController lacks authorization checks, allowing any authenticated Wings node to pull deployment secrets (egg installation scripts) and alter the installation status of servers hosted on entirely different nodes.

To exploit this vulnerability, an attacker first needs to acquire a secret access token for a Wings node. Unfortunately, this is a relatively low bar for an attacker who has gained local access to a single node, as the daemon token is stored in plaintext at /etc/pterodactyl/config.yml.

Once armed with this token, the attacker effectively gains god-like visibility. A single compromised token “grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to”.

The impact goes far beyond simple data theft. Malicious actors can use this stolen access to move laterally through the system, spam users with excessive notifications, and destroy server data on other nodes.

Most alarmingly, the flaw in the transfer controller can be weaponized to cause permanent destruction. By triggering a “false transfer success,” the attacker can trick the main panel into deleting the server from the source node, resulting in permanent, unrecoverable data loss.

Server administrators utilizing Pterodactyl are strongly urged to rotate potentially exposed node tokens immediately and apply the necessary updates to address this critical API authorization failure.

• Affected versions: <= 1.12.0
• Patched versions: 1.12.1

Related Posts:

• Critical Pterodactyl RCE (CVSS 10.0): Unauthenticated Attackers Exploiting Flaw Now!
• CVE-2024-27102 (CVSS 9.9) Vulnerability Threatens Pterodactyl Game Servers
• Destructive npm Packages Deleting Files, Hijacking Frameworks for 2+ Years