Security: pterodactyl/panel

Security

SECURITY.md

Security Policy

Supported Versions

Pterodactyl only provides security support for the latest major.minor versions of the Panel and Wings software. If a security vulnerability is found in an older version but cannot be reproduced on a supported version it will not be considered. Additionally, security issues found in unreleased code will be addressed, but do not warrant a security advisory.

For example, if the latest version of the Panel is 1.2.5 then we only support security reports for issues that occur on >= 1.2.x versions of the Panel software. The Panel and Wings have their own versions, but they generally follow eachother.

Reporting a Vulnerability

Please use our GitHub Security reporting meachnism to quickly alert the team to any security issues you come across, or send an email to security@pterodactyl.io with the details of your report.

We make every effort to respond as soon as possible, although it may take a day or two for us to sync internally and determine the severity of the report and its impact. Please, do not use a public facing channel or GitHub issues to report sensitive security issues.

As part of our process, we will create a security advisory for the affected versions and disclose it publicly, usually two to four weeks after a releasing a version that addresses it.

Cross-Node Server Configuration Disclosure via Remote API Missing Authorization
GHSA-g7vw-f8p5-c728 published Feb 14, 2026 by DaneEveritt

Critical
SFTP sessions remain active after user account deletion or password change
GHSA-hr7j-63v7-vj7g published Feb 14, 2026 by DaneEveritt

High
SFTP access is not revoked when server is deleted or permissions reduced
GHSA-8c39-xppg-479c published Jan 6, 2026 by DaneEveritt

High
Reflected XSS in "Create New Database Host"
GHSA-mgr9-6c2j-jxrq published Dec 27, 2025 by DaneEveritt

Low
TOTP can be used multiple times during validity window
GHSA-rgmp-4873-r683 published Jan 6, 2026 by DaneEveritt

Moderate
Unauthenticated Arbitrary Remote Code Execution
GHSA-24wv-6c99-f843 published Jun 19, 2025 by matthewpi

Critical
Plain-text logging of user passwords when two-factor authentication is disabled
GHSA-c479-wq8g-57hr published Oct 24, 2024 by matthewpi

Moderate
Improper resource locking allows raced queries to create more resources than alloted
GHSA-jw2v-cq5x-q68g published Jan 19, 2026 by anthonyphysgun

Moderate
Websocket endpoints have no visible rate limits or monitoring, allowing for DOS attacks under certain circumstances
GHSA-8w7m-w749-rx98 published Jan 19, 2026 by anthonyphysgun

High
Multiple XSS vulnerabilities in the admin area
GHSA-384w-wffr-x63q published May 3, 2024 by matthewpi

Moderate

Learn more about advisories related to pterodactyl/panel in the GitHub Advisory Database

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!