CVE-2026-35202— Pterodactyl has a database resource limit bypass via race condition in Client API
Possible ATT&CK Techniques 1AI
T1136 · Create AccountAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pterodactyl | panel | < 1.12.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35202
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pterodactyl has a database resource limit bypass via race condition in Client API
Source: NVD (National Vulnerability Database)
Vulnerability Description
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
检查时间与使用时间(TOCTOU)的竞争条件
Source: NVD (National Vulnerability Database)
Vulnerability Title
Pterodactyl Panel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Pterodactyl Panel是Pterodactyl开源的一个免费的开源游戏服务器管理面板。 Pterodactyl Panel 1.12.3之前版本存在安全漏洞,该漏洞源于数据库锁定机制完全失效,可能导致用户绕过数据库分配限制。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| pterodactyl | panel | < 1.12.3 | - |
II. Public POCs for CVE-2026-35202
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35202
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-35202 (1)
IV. Related Vulnerabilities
Same product: panel
- CVE-2026-34358
CtrlPanel: Missing Authorization on Admin Write Endpoints Al - CVE-2026-34246
CtrlPanel: Stored XSS in Admin Role Management via Unescaped - CVE-2026-34241
CtrlPanel: Stored XSS in Ticket Reply Notifications Allows S - CVE-2026-34234
CtrlPanel: Unauthenticated RCE using installer script - CVE-2026-34233
CtrlPanel has Missing Authentication Checks in Datatable Adm
Same vendor: pterodactyl
- CVE-2026-26016
Pterodactyl Panel Allows Cross-Node Server Configuration Dis - CVE-2026-21696
Endless reprocessing/reupload of activity log data due to SQ - CVE-2025-69199
Pterodactyl Wings's websocket endpoints have no visible rate - CVE-2025-69198
Pterodactyl's improper resource locking allows raced queries - CVE-2025-69197
Pterodactyl TOTPs can be reused during validity window
Same weakness: CWE-367
- CVE-2026-48983
pam_usb: TOCTOU race condition in pad directory creation all - CVE-2026-6733
undici vulnerable to HTTP response queue poisoning via keep- - CVE-2026-54228
Abrt: toctou race condition in abrt-dbus setelement allows a - CVE-2026-53838
OpenClaw < 2026.5.27 - Node Pairing State Mutation via Recon - CVE-2026-53831
OpenClaw < 2026.5.18 - Arbitrary File Read via Shell Expansi
V. Comments for CVE-2026-35202
No comments yet