Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-21696

CVE-2026-21696: Pterodactyl Wings DoS Vulnerability

CVE-2026-21696 is a denial of service flaw in Pterodactyl Wings that allows low-privileged users to flood the panel database with repeated activity logs. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-21696 Overview

CVE-2026-21696 is a Resource Exhaustion vulnerability in Pterodactyl Wings, the server control plane component for the popular open-source game server management panel. The vulnerability exists in how Wings processes activity log entries without considering SQLite's maximum parameter limit, allowing a low-privileged attacker to trigger a condition that repeatedly floods the panel with duplicate activity records until disk space is exhausted.

Critical Impact

A low-privileged user can exploit this flaw to cause indefinite re-processing of activity logs, leading to disk exhaustion on the panel's database server and complete denial of service.

Affected Products

  • Pterodactyl Wings versions 1.7.0 through 1.11.x
  • Pterodactyl Panel installations using vulnerable Wings versions
  • Game server deployments managed by affected Wings instances

Discovery Timeline

  • 2026-01-19 - CVE-2026-21696 published to NVD
  • 2026-01-19 - Last updated in NVD database

Technical Details for CVE-2026-21696

Vulnerability Analysis

This vulnerability stems from improper handling of SQLite database operations within the Wings activity log processing mechanism. When Wings processes activity logs, it sends entries to the panel and subsequently attempts to delete processed entries from its local SQLite database. However, the deletion logic fails to account for SQLite's maximum parameter limit of 32,766 variables (as of SQLite 3.32.0).

When the number of activity entries exceeds this limit, the deletion query fails with the error "SQL logic error: too many SQL variables (1)". Critically, this failure does not prevent the entries from being marked for reprocessing. As a result, these entries are indefinitely re-processed and resent to the panel each time the cron job executes.

The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), as successful exploitation leads to unbounded growth of activity data on the panel's database server.

Root Cause

The root cause lies in the activity cron job implementation within Wings. The code responsible for deleting processed activity entries constructs a single SQL DELETE statement with all entry IDs as parameters. When the entry count surpasses SQLite's 32,766 parameter limit, the query fails entirely rather than being batched appropriately.

The vulnerable code paths exist in internal/cron/activity_cron.go and internal/cron/sftp_cron.go, where bulk deletion operations are performed without chunking the parameters to stay within SQLite's constraints.

Attack Vector

The attack can be executed remotely over the network by a low-privileged authenticated user. The attacker needs to generate sufficient activity to push the entry count above the SQLite parameter threshold. Once triggered, the following exploitation pattern emerges:

  1. The attacker generates a large volume of activity events (more than 32,766 entries)
  2. The Wings cron job attempts to process and delete these entries
  3. The deletion fails due to exceeding SQLite's parameter limit
  4. All entries remain in the database and are re-queued for processing
  5. On subsequent cron runs, these entries are uploaded again to the panel
  6. The cycle repeats indefinitely, with each iteration potentially adding new activity entries
  7. The panel's database server eventually runs out of disk space

This attack requires no user interaction and can be sustained with minimal attacker effort once initiated.

Detection Methods for CVE-2026-21696

Indicators of Compromise

  • Unusual growth in database disk usage on the Pterodactyl Panel server
  • Repeated identical activity log entries appearing in the panel database
  • SQLite error messages in Wings logs containing "too many SQL variables"
  • Abnormally high network traffic between Wings instances and the panel

Detection Strategies

  • Monitor Wings application logs for SQLite errors related to parameter limits
  • Implement database query monitoring to detect duplicate activity log insertions
  • Set up disk space alerting thresholds on panel database servers
  • Review Wings SQLite database file sizes for unexpected growth patterns

Monitoring Recommendations

  • Configure centralized logging for all Wings instances to correlate activity patterns
  • Establish baseline metrics for normal activity log volume and alert on deviations
  • Implement database row count monitoring for activity-related tables
  • Deploy network traffic analysis to detect repeated large uploads from Wings to panel

How to Mitigate CVE-2026-21696

Immediate Actions Required

  • Upgrade Pterodactyl Wings to version 1.12.0 or later immediately
  • Monitor disk space usage on panel database servers for signs of exploitation
  • Review Wings logs for SQLite parameter limit errors indicating active exploitation
  • Consider temporarily limiting user access if exploitation is detected

Patch Information

The vulnerability is fixed in Pterodactyl Wings version 1.12.0. The fix implements proper batching of SQLite delete operations to ensure the parameter count stays within acceptable limits. Organizations should upgrade all Wings instances to version 1.12.0 or later as soon as possible.

For detailed information about the fix, refer to the GitHub Security Advisory.

Workarounds

  • Manually monitor and purge duplicate activity entries from the panel database if exploitation is suspected
  • Implement rate limiting on activity generation at the application level
  • Set up automated disk space monitoring with aggressive alerting thresholds
  • Consider temporarily disabling activity logging on affected Wings instances until patching is possible
bash
# Configuration example - Check Wings version and upgrade
# Verify current Wings version
wings --version

# Stop Wings service before upgrade
systemctl stop wings

# Download and install Wings 1.12.0 or later
curl -L -o /usr/local/bin/wings "https://github.com/pterodactyl/wings/releases/latest/download/wings_linux_amd64"
chmod u+x /usr/local/bin/wings

# Restart Wings service
systemctl start wings

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.