SQL Logic Error in Pterodactyl's Wings Panel Allows Data Flooding
CVE-2026-21696

8.3HIGH

Key Information:

Vendor

Pterodactyl

Status
Wings
Vendor
CVE Published:
19 January 2026

What is CVE-2026-21696?

Wings, the server control plane for Pterodactyl, is affected by a vulnerability that allows low-privileged users to exploit the system's handling of activity log entries. Versions between 1.7.0 and 1.11.0 fail to adhere to SQLite's max parameter limit, which can lead to repetitive activity data resubmissions to the panel. An attacker can trigger this exploit, causing the database to repeatedly process entries until resources are exhausted, specifically when Wings attempts to delete excessive entries. This condition creates a scenario where the server may run out of disk space due to ongoing data overload. An update to version 1.12.0 resolves this issue.

Affected Version(s)

wings >= 1.7.0, < 1.12.0

References

https://github.com/pterodactyl/wings/security/advisories/...
x_refsource_CONFIRM
https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da...
x_refsource_MISC
https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da...
x_refsource_MISC

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.