CVE-2026-35202
LOWPterodactyl Panel <1.12.3 Client API - Database Limit Bypass
Title source: manualDescription
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/pterodactyl/panel/security/advisories/GHSA-fgmm-w5cx-vrfw
Scores
CVSS v4
2.3
EPSS
0.0035
EPSS Percentile
26.4%
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-367
CWE-770
Status
published
Products (2)
pterodactyl/panel
0 - 1.12.3Packagist
pterodactyl/panel
< 1.12.3
Published
Jun 02, 2026
Tracked Since
Jun 03, 2026