Cyber Resilience

CVE-2026-26016

Critical

Published: 19 February 2026

Published
19 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-26016 is a critical-severity Unverified Ownership (CWE-283) vulnerability in Pterodactyl Panel. Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-26016 is a missing authorization vulnerability affecting Wings, the server control plane component of Pterodactyl, a free open-source game server management panel. Prior to version 1.12.1, multiple controllers in Wings lack logic to verify that a requesting node matches the server it is querying, allowing unauthorized access to server data across nodes.

An attacker who obtains a Wings node secret token—typically stored in plaintext at /etc/pterodactyl/config.yml—can exploit this remotely over the network. With a valid token, they gain network-level access to endpoints that expose sensitive information for any server on the Pterodactyl instance, regardless of node association. This enables retrieval of server installation scripts containing secrets, manipulation of installation and transfer statuses, lateral movement through the system, excessive notifications, data exfiltration, and permanent data loss by triggering false transfer successes that cause the panel to delete server data from source nodes.

The Pterodactyl security advisory (GHSA-g7vw-f8p5-c728) and release notes for version 1.12.1 recommend upgrading Wings to 1.12.1, which adds the necessary node verification logic to restrict access to associated servers only. The vulnerability carries a CVSS v3.1 score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWEs 283 (Unverified Ownership) and 639 (Authorization Bypass Through User-Controlled Key).

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about…

more

any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes. This vulnerability requires a user to acquire a secret access token for a node. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token. A single compromised Wings node daemon token (stored in plaintext at `/etc/pterodactyl/config.yml`) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token. Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss. Users should upgrade to version 1.12.1 to receive a fix.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1041 Exfiltration Over C2 Channel Exfiltration
Adversaries may steal data by exfiltrating it over an existing command and control channel.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

Authorization bypass on network-exposed Wings daemon directly enables remote exploitation of public-facing app (T1190); retrieval of secrets from installation scripts (T1552.001); exfiltration of server data via the API (T1041); and data deletion via falsified transfer status (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-20912Shared CWE-283, CWE-639
CVE-2026-4896Shared CWE-639
CVE-2024-8613Shared CWE-639
CVE-2025-64523Shared CWE-639
CVE-2026-1375Shared CWE-639
CVE-2026-41471Shared CWE-639
CVE-2026-35183Shared CWE-639
CVE-2023-36331Shared CWE-639
CVE-2026-33297Shared CWE-639
CVE-2026-41084Shared CWE-639

Affected Assets

pterodactyl
panel
≤ 1.12.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing authorization logic by enforcing verification that the requesting node matches the server being accessed.

prevent

Remediates the specific software flaw through timely identification, reporting, and correction via vendor patching to version 1.12.1.

prevent

Enforces least privilege for node tokens, restricting access solely to servers associated with that node to prevent cross-node data access.

References