Pterodactyl has a database resource limit bypass via race condition...

2.3 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.

Basic Information

ID CVE-2026-35202

Source GitHub_M

Published Jun 2, 2026 at 19:03

Affected Product

Vendor pterodactyl

Product panel

Version < 1.12.3

Affected Versions pterodactyl panel < 1.12.3

CWE Classification

CWE-367 CWE-770

References

github.com /pterodactyl/panel/security/advisories/GHSA-fgmm-w5cx-vrfw

{
    "lastseen": "",
    "description": "Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.",
    "published": "2026-06-02T19:03:46.792Z",
    "modified": "2026-06-02T19:03:46.792Z",
    "type": "cve",
    "title": "Pterodactyl has a database resource limit bypass via race condition in Client API",
    "source": "GitHub_M",
    "references": "https://github.com/pterodactyl/panel/security/advisories/GHSA-fgmm-w5cx-vrfw",
    "id": "CVE-2026-35202",
    "bulletinFamily": "",
    "cwe": [
        "CWE-367",
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "pterodactyl panel < 1.12.3",
    "sourceHref": "",
    "cvss": {
        "score": 2.3,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "panel",
    "version": "< 1.12.3",
    "vendor": "pterodactyl",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Pterodactyl has a database resource limit bypass via race condition in Client API_CVE-2026-35202