Logic Flaw in Pterodactyl Game Server Management Panel
CVE-2026-35202

2.3LOW

Key Information:

Vendor: Pterodactyl
Status: Panel
Vendor: CVE Published:; 2 June 2026

🔔 Create Pterodactyl Vulnerability Alert

What is CVE-2026-35202?

The Pterodactyl Client API, a component of the open-source game server management panel, has a notable logic flaw that allows users to circumvent their designated limits for database allocations. This issue arises from a poorly implemented database locking mechanism within the API controllers that fails to enforce correct locking procedures. As a result, users can exploit this flaw to access resources beyond their permitted allocations. The issue has been resolved with the release of version 1.12.3, which addresses the locking mechanism, ensuring proper restrictions are enforced.

Affected Version(s)

panel < 1.12.3

References

https://github.com/pterodactyl/panel/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35202 Data

JSON