CVE-2025-68954

Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5	Patch
https://github.com/pterodactyl/panel/releases/tag/v1.12.0	Product Release Notes
https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:pterodactyl:panel::::::::
	cpe:2.3:a:pterodactyl:wings::::::::

History

No history.

Information

Published : 2026-01-06 01:16

Updated : 2026-01-12 21:29

NVD link : CVE-2025-68954

Mitre link : CVE-2025-68954

CVE.ORG link : CVE-2025-68954

JSON object : View

Products Affected

pterodactyl

panel
wings

CWE

CWE-613

Insufficient Session Expiration

{"id": "CVE-2025-68954", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-06T01:16:01.387", "references": [{"url": "https://github.com/pterodactyl/panel/commit/2bd9d8baddb0e0606e4a9d5be402f48678ac88d5", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.0", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-8c39-xppg-479c", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-613"}]}], "descriptions": [{"lang": "en", "value": "Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was already connected to SFTP to remain connected and access files even after their permissions are revoked. A user must have been connected to SFTP at the time of their permissions being revoked in order for this vulnerability to be exploited. This issue is fixed in version 1.12.0."}], "lastModified": "2026-01-12T21:29:12.877", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:pterodactyl:panel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6163FD74-C4E9-4B5C-82B5-9BB139F9FE9D", "versionEndExcluding": "1.12.0"}, {"criteria": "cpe:2.3:a:pterodactyl:wings:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0892774-9788-48C8-A188-A1A6373735F0", "versionEndExcluding": "1.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}