CVE-2026-35202— Pterodactyl has a database resource limit bypass via race condition in Client API
Possible ATT&CK Techniques 1AI
T1136 · Create AccountAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pterodactyl | panel | < 1.12.3 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-35202
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Pterodactyl has a database resource limit bypass via race condition in Client API
Source: NVD (National Vulnerability Database)
Vulnerability Description
Pterodactyl is a free, open-source game server management panel. Prior to version 1.12.3, the Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. Version 1.12.3 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
检查时间与使用时间(TOCTOU)的竞争条件
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| pterodactyl | panel | < 1.12.3 | - |
II. Public POCs for CVE-2026-35202
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-35202
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-35202 (1)
IV. Related Vulnerabilities
Same product: panel
- CVE-2026-34358
CtrlPanel: Missing Authorization on Admin Write Endpoints Al - CVE-2026-34246
CtrlPanel: Stored XSS in Admin Role Management via Unescaped - CVE-2026-34241
CtrlPanel: Stored XSS in Ticket Reply Notifications Allows S - CVE-2026-34234
CtrlPanel: Unauthenticated RCE using installer script - CVE-2026-34233
CtrlPanel has Missing Authentication Checks in Datatable Adm
Same vendor: pterodactyl
- CVE-2026-26016
Pterodactyl Panel Allows Cross-Node Server Configuration Dis - CVE-2026-21696
Endless reprocessing/reupload of activity log data due to SQ - CVE-2025-69199
Pterodactyl Wings's websocket endpoints have no visible rate - CVE-2025-69198
Pterodactyl's improper resource locking allows raced queries - CVE-2025-69197
Pterodactyl TOTPs can be reused during validity window
Same weakness: CWE-367
- CVE-2026-25260
Time-of-check Time-of-use (TOCTOU) Race Condition in DSP Ser - CVE-2025-59610
Time-of-check Time-of-use (TOCTOU) Race Condition in Camera - CVE-2026-20454
GenieZone漏洞:竞态条件致越界写入 - CVE-2026-45619
AVideo CVE-2026-43884 incomplete fix - `isSSRFSafeURL()` cal - CVE-2026-9796
Keycloak: keycloak: privilege escalation via time-of-check t
V. Comments for CVE-2026-35202
No comments yet