CVE-2025-68954

MEDIUM

Pterodactyl <1.11.11 - Info Disclosure

Title source: llm

Description

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0.

References (3)

[Vendor Advisory] https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c

[Patch] https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5

View Patch ZIP pw:eip

[Product, Release Notes] https://github.com/pterodactyl/panel/releases/tag/v1.12.0

Scores

CVSS v3 5.4

EPSS 0.0001

EPSS Percentile 1.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-613

Status published

Products (4)

pterodactyl/panel < 1.12.0

pterodactyl/panel 0 - 1.12.0Packagist

pterodactyl/wings < 1.12.0

pterodactyl/wings 0 - 1.12.0Go

Published Jan 06, 2026

Tracked Since Feb 18, 2026