Authorization Flaw in Pterodactyl's Wings Server Control Panel
CVE-2026-26016

9.2CRITICAL

Key Information:

Vendor: Pterodactyl
Status: Panel
Vendor: CVE Published:; 19 February 2026

🔔 Create Pterodactyl Vulnerability Alert

What is CVE-2026-26016?

Wings, the server control plane for Pterodactyl, contains a missing authorization check that allows users with a node secret token to access sensitive information of servers on different nodes. This critical oversight permits any authenticated Wings node to retrieve server installation scripts and manipulate server statuses of other nodes. The flaw arises due to the absence of verification logic ensuring that the node requesting data matches the server’s true association. An attacker could exploit this by utilizing a compromised access token, leading to potential lateral movement within the system, data destruction, and unauthorized access to sensitive secrets. To safeguard against these risks, users are advised to upgrade to Wings version 1.12.1, which addresses this issue.

Affected Version(s)

panel < 1.12.1

References

https://github.com/pterodactyl/panel/security/advisories/...

x_refsource_CONFIRM

https://github.com/pterodactyl/panel/releases/tag/v1.12.1

x_refsource_MISC

CVSS V4

Score:

9.2

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 9, 2026

CVE-2026-26016 Data

JSON