The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-26016

CVE-2026-26016: Pterodactyl Wings Auth Bypass Vulnerability

CVE-2026-26016 is an authentication bypass flaw in Pterodactyl Wings that allows compromised nodes to access sensitive data across all servers. This article covers technical details, affected versions, impact, and mitigation.

Published: February 20, 2026

CVE-2026-26016 Overview

CVE-2026-26016 is a critical authorization bypass vulnerability in Wings, the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This vulnerability enables cross-node data exfiltration, lateral movement, and potential permanent data loss.

Critical Impact

A single compromised Wings node daemon token grants access to sensitive configuration data of every server on the panel, enabling lateral movement, data destruction, and secret exfiltration across all nodes.

Affected Products

  • Pterodactyl Wings prior to version 1.12.1
  • Pterodactyl Panel installations using vulnerable Wings versions
  • Any Pterodactyl deployment with multiple nodes sharing the same panel

Discovery Timeline

  • 2026-02-19 - CVE-2026-26016 published to NVD
  • 2026-02-19 - Last updated in NVD database

Technical Details for CVE-2026-26016

Vulnerability Analysis

This vulnerability stems from CWE-283: Unverified Ownership, where the Wings control plane fails to verify that the node requesting server data is the same node that the server is associated with. The missing authorization logic in multiple controllers creates a significant security gap that allows any authenticated Wings node to access and manipulate data belonging to servers on other nodes.

The vulnerability is particularly severe because Wings node secret tokens are stored in plaintext at /etc/pterodactyl/config.yml. If an attacker compromises a single node and obtains this token, they gain unauthorized access to sensitive configuration data of every server across the entire Pterodactyl panel installation, rather than being restricted to only the servers that particular node should have access to.

Root Cause

The root cause is missing authorization logic to verify node-to-server ownership associations. When a node makes requests to retrieve server installation scripts, manipulate installation status, or manage transfer states, the application fails to validate that the requesting node actually owns or is associated with the target server. This missing verification check allows any valid node token to access resources belonging to any server in the system.

Attack Vector

The attack requires network access and a valid Wings node secret token. An attacker who has compromised a Wings node or obtained its authentication token from the plaintext configuration file can exploit this vulnerability through the following attack scenarios:

Server Installation Script Retrieval: Any authenticated Wings node can retrieve server installation scripts from other nodes, potentially containing secret values such as database credentials, API keys, or other sensitive configuration data.

Installation Status Manipulation: An attacker can manipulate the installation status of servers belonging to other nodes, potentially disrupting service or causing configuration inconsistencies.

Transfer Status Manipulation: Perhaps most critically, triggering a false transfer success causes the panel to delete the server from the source node, resulting in permanent data loss. This attack vector allows for deliberate destruction of server data across the entire panel infrastructure.

Lateral Movement: With access to sensitive configuration data from all servers, an attacker can move laterally through the system, compromising additional services and exfiltrating secrets that should be isolated to specific nodes.

Detection Methods for CVE-2026-26016

Indicators of Compromise

  • Unusual API requests from Wings nodes attempting to access servers not assigned to that node
  • Unexpected server installation script retrievals across node boundaries
  • Anomalous transfer status changes for servers that were not undergoing legitimate migrations
  • Access patterns showing a single node token querying information for servers across multiple nodes
  • Unexpected server deletions or data loss following false transfer completion signals

Detection Strategies

  • Monitor Wings API access logs for cross-node server information requests
  • Implement alerting for server transfer status changes that don't correlate with administrative actions
  • Track and correlate node token usage patterns to identify unauthorized cross-node access attempts
  • Review audit logs for installation script retrieval events targeting servers on different nodes

Monitoring Recommendations

  • Enable verbose logging on Wings daemon to capture all API interactions
  • Implement network segmentation monitoring between Wings nodes and the panel
  • Set up alerts for any access to /etc/pterodactyl/config.yml on Wings nodes
  • Monitor for bulk server information queries that may indicate reconnaissance activity
  • Establish baseline node-to-server relationships and alert on deviations

How to Mitigate CVE-2026-26016

Immediate Actions Required

  • Upgrade Wings to version 1.12.1 or later immediately
  • Rotate all Wings node secret tokens after upgrading to invalidate any potentially compromised credentials
  • Audit Wings nodes for signs of compromise, particularly checking for unauthorized access to /etc/pterodactyl/config.yml
  • Review server transfer and installation logs for suspicious activity
  • Consider restricting network access between Wings nodes until the patch is applied

Patch Information

The vulnerability has been addressed in Wings version 1.12.1. Users should upgrade to this version or later to receive the fix. The patch adds proper authorization checks to verify that the requesting node is associated with the target server before allowing access to server data or permitting status manipulations.

For more information, see the GitHub Security Advisory GHSA-g7vw-f8p5-c728 and the GitHub Release v1.12.1.

Workarounds

  • Restrict network access to Wings API endpoints using firewall rules to limit node-to-panel communication
  • Implement additional authentication layers or VPN requirements for inter-node communication
  • Apply stricter file permissions on /etc/pterodactyl/config.yml to limit exposure of node tokens
  • Consider temporarily disabling server transfer functionality until the patch can be applied
  • Monitor and log all cross-node API requests as a compensating control
bash
# Restrict access to Wings configuration file
chmod 600 /etc/pterodactyl/config.yml
chown root:root /etc/pterodactyl/config.yml

# Example firewall rule to restrict Wings API access (adjust ports and IPs as needed)
iptables -A INPUT -p tcp --dport 8080 -s <panel_ip_address> -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechPterodactyl
  • SeverityCRITICAL
  • CVSS Score9.2
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-283
  • Technical References
  • GitHub Release v1.12.1
  • GitHub Security Advisory GHSA-g7vw-f8p5-c728
  • Related CVEs
  • CVE-2025-69197: Pterodactyl TOTP Auth Bypass Vulnerability
  • CVE-2025-68954: Pterodactyl SFTP Auth Bypass Vulnerability
  • CVE-2025-69198: Pterodactyl Panel DOS Vulnerability
  • CVE-2025-49132: Pterodactyl Panel RCE Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English