{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-17T20:09:41.425","vulnerabilities":[{"cve":{"id":"CVE-2026-26016","sourceIdentifier":"security-advisories@github.com","published":"2026-02-19T17:24:50.293","lastModified":"2026-02-20T19:08:53.683","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node requesting server data is the same node that the server is associated with. Any authenticated Wings node can retrieve server installation scripts (potentially containing secret values) and manipulate the installation status of servers belonging to other nodes. Wings nodes may also manipulate the transfer status of servers belonging to other nodes. This vulnerability requires a user to acquire a secret access token for a node. Unless a user gains access to a Wings secret access token they would not be able to access any of these vulnerable endpoints, as every endpoint requires a valid node access token. A single compromised Wings node daemon token (stored in plaintext at `/etc/pterodactyl/config.yml`) grants access to sensitive configuration data of every server on the panel, rather than only to servers that the node has access to. An attacker can use this information to move laterally through the system, send excessive notifications, destroy server data on other nodes, and otherwise exfiltrate secrets that they should not have access to with only a node token. Additionally, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss. Users should upgrade to version 1.12.1 to receive a fix."},{"lang":"es","value":"Wings es el plano de control del servidor para Pterodactyl, un panel de gestión de servidores de juegos gratuito y de código abierto. Antes de la versión 1.12.1, una falta de verificación de autorización en múltiples controladores permite a cualquier usuario con acceso a un token secreto de nodo obtener información sobre cualquier servidor en una instancia de Pterodactyl, incluso si ese servidor está asociado con un nodo diferente. Este problema se deriva de la falta de lógica para verificar que el nodo que solicita datos del servidor es el mismo nodo con el que está asociado el servidor. Cualquier nodo Wings autenticado puede recuperar scripts de instalación de servidores (que potencialmente contienen valores secretos) y manipular el estado de instalación de servidores pertenecientes a otros nodos. Los nodos Wings también pueden manipular el estado de transferencia de servidores pertenecientes a otros nodos. Esta vulnerabilidad requiere que un usuario adquiera un token de acceso secreto para un nodo. A menos que un usuario obtenga acceso a un token de acceso secreto de Wings, no podría acceder a ninguno de estos puntos finales vulnerables, ya que cada punto final requiere un token de acceso de nodo válido. Un único token de demonio de nodo Wings comprometido (almacenado en texto plano en '/etc/pterodactyl/config.yml') otorga acceso a datos de configuración sensibles de cada servidor en el panel, en lugar de solo a los servidores a los que el nodo tiene acceso. Un atacante puede usar esta información para moverse lateralmente a través del sistema, enviar notificaciones excesivas, destruir datos de servidores en otros nodos y, de otro modo, exfiltrar secretos a los que no debería tener acceso con solo un token de nodo. Además, activar un éxito de transferencia falso hace que el panel elimine el servidor del nodo de origen, lo que resulta en una pérdida permanente de datos. Los usuarios deben actualizar a la versión 1.12.1 para recibir una solución."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.2,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"LOW","subAvailabilityImpact":"LOW","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-283"},{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*","versionEndExcluding":"1.12.1","matchCriteriaId":"57849D30-EFC2-47CA-9018-240B563977DC"}]}]}],"references":[{"url":"https://github.com/pterodactyl/panel/releases/tag/v1.12.1","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/pterodactyl/panel/security/advisories/GHSA-g7vw-f8p5-c728","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}