SFTP Connection Persistence in Pterodactyl Game Server Management Panel
CVE-2025-68954

7.5HIGH

Key Information:

Vendor

Pterodactyl

Status
Panel
Vendor
CVE Published:
6 January 2026

What is CVE-2025-68954?

The Pterodactyl Game Server Management Panel has a vulnerability that allows users to maintain active SFTP connections even after their permissions have been modified or revoked. Specifically, for versions up to 1.11.11, a user can continue to access files via SFTP if they were connected at the time of a permissions change. This exposes sensitive data and poses a significant security risk. The issue has been addressed in version 1.12.0, making it essential for users to update promptly to secure their server environments.

Affected Version(s)

panel < 1.12.0

References

https://github.com/pterodactyl/panel/security/advisories/...
x_refsource_CONFIRM
https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e...
x_refsource_MISC
https://github.com/pterodactyl/panel/releases/tag/v1.12.0
x_refsource_MISC

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.