CVE-2026-35202 Overview
CVE-2026-35202 affects Pterodactyl Panel, a free, open-source game server management panel. Versions prior to 1.12.3 contain a logic flaw in the Pterodactyl Client API. The flaw allows authenticated users to bypass their assigned limits for database allocations. The root cause is a broken database locking mechanism in the controllers that fails to lock resources as intended. This vulnerability is classified under CWE-367 (Time-of-Check Time-of-Use race condition). Version 1.12.3 patches the issue.
Critical Impact
Authenticated users can exceed administrator-defined database allocation limits, undermining tenant quotas and resource governance on shared Pterodactyl deployments.
Affected Products
- Pterodactyl Panel versions prior to 1.12.3
- Pterodactyl Client API database allocation controllers
- Shared and multi-tenant Pterodactyl deployments
Discovery Timeline
- 2026-06-02 - CVE-2026-35202 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-35202
Vulnerability Analysis
The vulnerability resides in the Pterodactyl Client API endpoints that govern user database allocations. Pterodactyl enforces per-user limits on how many databases a client can create against a managed server. The controllers responsible for this enforcement attempt to apply a locking mechanism during creation requests, but the implementation does not actually acquire or hold a lock. As a result, the check that compares current database count against the configured ceiling can be evaded.
Because this is a logic flaw in business rule enforcement, exploitation does not require memory corruption, injection, or elevated privileges beyond standard client authentication. The attacker needs only an authenticated session with permission to create databases.
Root Cause
The root cause is a non-functional locking implementation in the database creation controllers, mapped to [CWE-367] Time-of-Check Time-of-Use (TOCTOU). The controller checks the user's current allocation count, then proceeds to create a new database record. Without a real lock, concurrent requests can each pass the check before any record is committed. Each request then proceeds to create a database, pushing the user above the configured limit.
Attack Vector
Exploitation requires network access and authenticated low-privilege credentials. An attacker submits multiple concurrent database creation requests to the Client API. Because the lock is ineffective, several requests pass the limit check simultaneously and each commits a new database allocation. The resulting state lets the user hold more databases than the administrator permits, which can be abused to consume backend MySQL resources or violate tenancy quotas. No code execution, data exfiltration, or integrity compromise is involved.
Technical details are documented in the Pterodactyl GitHub Security Advisory.
Detection Methods for CVE-2026-35202
Indicators of Compromise
- Users holding more database allocations than their configured limit allows in the Pterodactyl admin view.
- Bursts of concurrent POST requests to the Client API database creation endpoint from a single authenticated user.
- Unexpected growth in databases provisioned on backend MySQL hosts associated with Pterodactyl-managed nodes.
Detection Strategies
- Audit the databases table and reconcile per-user counts against configured allocation limits in the panel.
- Review web server and application logs for parallel calls to the database creation endpoint sharing the same user ID and near-identical timestamps.
- Correlate Pterodactyl audit log entries with backend MySQL CREATE DATABASE events to identify quota violations.
Monitoring Recommendations
- Alert when any client account exceeds its configured database allocation count.
- Rate-limit and log Client API database creation requests at the reverse proxy or web application firewall layer.
- Track the version string reported by the Pterodactyl Panel to confirm patched deployments across the fleet.
How to Mitigate CVE-2026-35202
Immediate Actions Required
- Upgrade all Pterodactyl Panel installations to version 1.12.3 or later.
- Audit existing user database allocations and revoke any that exceed configured limits.
- Restrict creation of new database allocations for untrusted users until the upgrade is applied.
Patch Information
Pterodactyl version 1.12.3 patches the broken locking logic in the Client API database controllers. Operators should apply the upgrade using the project's standard update procedure and verify the panel version after deployment. Refer to the GitHub Security Advisory GHSA-fgmm-w5cx-vrfw for release details.
Workarounds
- Temporarily set database allocation limits to 0 for client users via the admin panel until the upgrade is complete.
- Place the Client API behind a reverse proxy that enforces strict per-user concurrency limits on database creation endpoints.
- Monitor backend MySQL servers for unauthorized database creation and remove out-of-policy entries during incident review.
# Configuration example: confirm Pterodactyl Panel version after upgrade
cd /var/www/pterodactyl
php artisan --version
grep "'version'" config/app.php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

