CVE-2025-69198, CVE-2025-69199, and CVE-2026-21696 in Pterodactyl
If you run Pterodactyl in production, CVE-2025-69198, CVE-2025-69199, and CVE-2026-21696 are the kind of issues that don’t always look scary in a headline—but can absolutely ruin your day in ops.
These three vulnerabilities hit the two places that matter most: Panel behavior under heavy request pressure and Wings behavior under WebSocket + logging edge-cases. Translation: resource exhaustion, noisy incidents, and “why is my disk melting?” tickets.
Official advisory links:
CVE-2025-69198: https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g
CVE-2025-69199: https://github.com/pterodactyl/panel/security/advisories/GHSA-8w7m-w749-rx98
CVE-2026-21696: https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74
What these CVEs mean in real life
All three can end in some flavor of denial of service or resource starvation:
Filling storage faster than your limits should allow
Burning CPU/RAM/network due to unthrottled or repeated workloads
Spamming Panel with activity data until the database runs out of disk
If you sell game hosting, this isn’t theoretical—this is literally how you get weekend incident calls and angry clients.
CVE-2025-69198 — Resource limit bypass via request bursts (Panel)
What it is: Pterodactyl enforces per-server limits for resources like databases, allocations, and backups, but in versions prior to 1.12.0, those checks can be bypassed by sending a large number of requests at the same time. The core problem is that validation happens early and doesn’t lock the target resource while processing, so concurrent requests can all pass validation and then all create resources.
Why it matters: A malicious user can:
Create more databases/allocations/backups than allowed
Consume limited node allocations
Fill backup storage faster than your policy intends
Starve resources that other users on the system need
Who’s affected: Panel versions < 1.12.0 (patched in 1.12.0).
What to do: Upgrade Panel to 1.12.0 as the real fix. In the meantime (or additionally), putting sane rate limiting/WAF rules in front of your Panel endpoints is a practical safety net—but it’s not a substitute for patching.
CVE-2025-69199 — WebSocket DoS due to missing throttling (Wings)
What it is: Wings WebSocket endpoints lacked proper rate limiting and throttling, and also didn’t enforce limits on message sizes. That means an attacker can open a huge number of connections and request/stream data until the node gets overloaded.
Impact: Excessive network traffic and increased CPU/RAM usage, potentially pushing Wings into an availability failure. GitHub rates it High severity (CVSS shown as 8.3 on the advisory).
Affected versions: < 1.12.0
Patched version: 1.12.0
What to do: Upgrade Wings to 1.12.0, and treat exposed WebSocket surfaces like you’d treat any high-traffic endpoint: monitoring + upstream limits are your friends.
CVE-2026-21696 — Endless activity log reprocessing (Wings)
What it is: Wings stores activity logs in SQLite and deletes processed entries after sending them to the Panel—but it didn’t account for SQLite’s max parameter limit (noted as 32766). If Wings tries to delete more than 32766 entries in one query, the delete fails and nothing gets removed. Those entries then get reprocessed and resent every cron run, forever.
Impact: Wings can repeatedly upload the same (and growing) activity dataset to the Panel until the Panel’s database runs out of disk space. That’s a very real “your dashboard is down” outcome. Severity is listed as High (CVSS shown as 8.3).
Affected versions: >= 1.7.0, < 1.12.0
Patched version: 1.12.0
What to do: Upgrade Wings to 1.12.0. Also, if you’ve ever wondered why your activity tables grow like they’re on protein powder—this is exactly the kind of bug that causes it.
Patch plan that won’t make you hate your life
Backups that actually matter: Panel DB + Panel files + Wings config.
Staging first if possible: even a quick clone VM saves you from surprise downtime.
Upgrade targets:
Panel → 1.12.0 (covers CVE-2025-69198)
Wings → 1.12.0 (covers CVE-2025-69199 and CVE-2026-21696)
After update: watch node load, WebSocket connection behavior, and Panel DB growth for a bit—these CVEs are literally about resource patterns.
Conclusion
CVE-2025-69198 can let users burst past per-server resource limits on the Panel via concurrency.
CVE-2025-69199 is a WebSocket throttling gap that can turn into a node DoS.
CVE-2026-21696 can cause endless activity log reuploads until your Panel database runs out of disk.
