GHSA-fgmm-w5cx-vrfw

Source

https://github.com/advisories/GHSA-fgmm-w5cx-vrfw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fgmm-w5cx-vrfw/GHSA-fgmm-w5cx-vrfw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fgmm-w5cx-vrfw

Aliases

CVE-2026-35202

Published

2026-05-26T19:30:02Z

Modified

2026-06-09T11:15:08.794436953Z

Severity

2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

Pterodactyl has a database resource limit bypass via race condition in Client API

Details

Summary

The Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything.

Details

Inside DatabaseController.php, the code tries to prevent multiple databases from being created at once by calling $server->databases()->lockForUpdate(). In Laravel, this just configures a query builder but never actually sends a command to the database because it’s missing a terminal method like count() or get(). It’s basically a no-op that does nothing.

Since there’s no real lock, multiple requests hitting the endpoint at the exact same time will all see that the database count is under the limit. They all move forward to the DeployServerDatabaseService and successfully create extra resources on the physical host.

Impact

Users are able to create more databases than they are supposed to, potentially also breaking the web interface.

Database specific

{
    "nvd_published_at": "2026-06-02T20:16:35Z",
    "cwe_ids": [
        "CWE-367",
        "CWE-770"
    ],
    "github_reviewed": true,
    "severity": "LOW",
    "github_reviewed_at": "2026-05-26T19:30:02Z"
}

References

Affected packages

Packagist / pterodactyl/panel

Package

Name: pterodactyl/panel
Purl: pkg:composer/pterodactyl%2Fpanel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.3

Affected versions

v0.*

v0.1.0-beta

v0.1.1-beta

v0.1.2-beta

v0.2.0-beta

v0.3.0-beta

v0.4.0-beta

v0.4.1-beta

v0.5.0-rc.1

v0.5.0-rc.2

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.6.0-beta.1

v0.6.0-beta.2

v0.6.0-beta.2.1

v0.6.0-rc.1

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0-beta.1

v0.7.0-beta.2

v0.7.0-beta.3

v0.7.0-beta.4

v0.7.0-rc.1

v0.7.0-rc.2

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.7.10

v0.7.11

v0.7.12

v0.7.13

v0.7.14

v0.7.15

v0.7.16

v0.7.17

v0.7.18

v0.7.19

v0.8.0-alpha.1

v0.8.0-alpha.2

v1.*

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.0-rc.3

v1.0.0-rc.4

v1.0.0-rc.5

v1.0.0-rc.6

v1.0.0-rc.7

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.4.1

v1.4.2

v1.5.0

v1.5.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.5

v1.6.6

v1.7.0

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v1.9.2

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.10.4

v1.11.0-rc.1

v1.11.0-rc.2

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.11.6

v1.11.7

v1.11.8

v1.11.9

v1.11.10

v1.11.11

v1.12.0

v1.12.1

v1.12.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-fgmm-w5cx-vrfw/GHSA-fgmm-w5cx-vrfw.json"