GHSA-hr7j-63v7-vj7g

Source

https://github.com/advisories/GHSA-hr7j-63v7-vj7g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-hr7j-63v7-vj7g/GHSA-hr7j-63v7-vj7g.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-hr7j-63v7-vj7g

Published

2026-02-17T17:15:18Z

Modified

2026-02-17T17:23:19.804690Z

Severity

7.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change

Details

Summary

Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked. This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.

Details

When a user with SFTP access is deleted from the Pterodactyl Panel or when the user's password is changed while one or more SFTP connections are active, those existing connections remain fully functional.

Neither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.

This behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.

This suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.

PoC

Scenario 1: Account deletion 1. Create a user with SFTP access to a server. 2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla). 3. Keep the SFTP session open and active. 4. Delete the user account from the Pterodactyl Panel. 5. Continue performing file operations through the already-established SFTP connection.

Result: The SFTP session remains active and usable despite the user account being deleted.

Scenario 2: Password change 1. Create a user with SFTP access to a server. 2. Establish an active SFTP connection. 3. Change the user's password (including via administrator panel). 4. Continue performing file operations using the existing SFTP connection.

Result: The SFTP session remains active and usable even after the password has been changed.

Impact

This issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue

Impacted parties:

Server administrators
Hosting providers using Pterodactyl Panel

Security impact:

Deleted users may retain filesystem access longer than intended, which can lead to:

Unauthorized data access
Data modification or deletion
Compliance and security policy violations

Database specific

{
    "github_reviewed_at": "2026-02-17T17:15:18Z",
    "github_reviewed": true,
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-284",
        "CWE-613"
    ],
    "severity": "HIGH"
}

References

Affected packages

Packagist / pterodactyl/panel

Package

Name: pterodactyl/panel
Purl: pkg:composer/pterodactyl/panel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.1

Affected versions

v0.*

v0.1.0-beta

v0.1.1-beta

v0.1.2-beta

v0.2.0-beta

v0.3.0-beta

v0.4.0-beta

v0.4.1-beta

v0.5.0-rc.1

v0.5.0-rc.2

v0.5.0

v0.5.1

v0.5.2

v0.5.3

v0.5.4

v0.5.5

v0.5.6

v0.5.7

v0.6.0-beta.1

v0.6.0-beta.2

v0.6.0-beta.2.1

v0.6.0-rc.1

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.7.0-beta.1

v0.7.0-beta.2

v0.7.0-beta.3

v0.7.0-beta.4

v0.7.0-rc.1

v0.7.0-rc.2

v0.7.0

v0.7.1

v0.7.2

v0.7.3

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.7.9

v0.7.10

v0.7.11

v0.7.12

v0.7.13

v0.7.14

v0.7.15

v0.7.16

v0.7.17

v0.7.18

v0.7.19

v0.8.0-alpha.1

v0.8.0-alpha.2

v1.*

v1.0.0-beta.1

v1.0.0-beta.2

v1.0.0-beta.3

v1.0.0-beta.4

v1.0.0-beta.5

v1.0.0-beta.6

v1.0.0-beta.7

v1.0.0-rc.1

v1.0.0-rc.2

v1.0.0-rc.3

v1.0.0-rc.4

v1.0.0-rc.5

v1.0.0-rc.6

v1.0.0-rc.7

v1.0.0

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.2.1

v1.2.2

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.4.1

v1.4.2

v1.5.0

v1.5.1

v1.6.0

v1.6.1

v1.6.2

v1.6.3

v1.6.5

v1.6.6

v1.7.0

v1.8.0

v1.8.1

v1.9.0

v1.9.1

v1.9.2

v1.10.0

v1.10.1

v1.10.2

v1.10.3

v1.10.4

v1.11.0-rc.1

v1.11.0-rc.2

v1.11.0

v1.11.1

v1.11.2

v1.11.3

v1.11.4

v1.11.5

v1.11.6

v1.11.7

v1.11.8

v1.11.9

v1.11.10

v1.11.11

v1.12.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-hr7j-63v7-vj7g/GHSA-hr7j-63v7-vj7g.json"

Go / github.com/pterodactyl/wings

Package

Name: github.com/pterodactyl/wings; View open source insights on deps.dev
Purl: pkg:golang/github.com/pterodactyl/wings

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.12.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-hr7j-63v7-vj7g/GHSA-hr7j-63v7-vj7g.json"