CVE-2026-26016

High

Published: 19 February 2026

Published

19 February 2026

Modified

20 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 20.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26016 is a high-severity Unverified Ownership (CWE-283) vulnerability in Pterodactyl Panel. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly addresses the missing authorization logic by enforcing verification that the requesting node matches the server being accessed.

SI-2 Flaw Remediation good match

prevent

Remediates the specific software flaw through timely identification, reporting, and correction via vendor patching to version 1.12.1.

AC-6 Least Privilege good match

prevent

Enforces least privilege for node tokens, restricting access solely to servers associated with that node to prevent cross-node data access.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1552.001 Credentials In Files Credential Access

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.

attack.mitre.org →

T1041 Exfiltration Over C2 Channel Exfiltration

Adversaries may steal data by exfiltrating it over an existing command and control channel.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

Why these techniques?

Authorization bypass on network-exposed Wings daemon directly enables remote exploitation of public-facing app (T1190); retrieval of secrets from installation scripts (T1552.001); exfiltration of server data via the API (T1041); and data deletion via falsified transfer status (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about…

any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes. This vulnerability requires a user to acquire a secret access token for a node. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token. A single compromised Wings node daemon token (stored in plaintext at `/etc/pterodactyl/config.yml`) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token. Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss. Users should upgrade to version 1.12.1 to receive a fix.

Deeper analysisAI

CVE-2026-26016 is a missing authorization vulnerability affecting Wings, the server control plane component of Pterodactyl, a free open-source game server management panel. Prior to version 1.12.1, multiple controllers in Wings lack logic to verify that a requesting node matches the server it is querying, allowing unauthorized access to server data across nodes.

An attacker who obtains a Wings node secret token—typically stored in plaintext at /etc/pterodactyl/config.yml—can exploit this remotely over the network. With a valid token, they gain network-level access to endpoints that expose sensitive information for any server on the Pterodactyl instance, regardless of node association. This enables retrieval of server installation scripts containing secrets, manipulation of installation and transfer statuses, lateral movement through the system, excessive notifications, data exfiltration, and permanent data loss by triggering false transfer successes that cause the panel to delete server data from source nodes.

The Pterodactyl security advisory (GHSA-g7vw-f8p5-c728) and release notes for version 1.12.1 recommend upgrading Wings to 1.12.1, which adds the necessary node verification logic to restrict access to associated servers only. The vulnerability carries a CVSS v3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 283 (Unverified Ownership) and 639 (Authorization Bypass Through User-Controlled Key).