The Phantom Session: Surviving the Ban Hammer in Pterodactyl

Vulnerability ID: GHSA-HR7J-63V7-VJ7G
CVSS Score: 7.5
Published: 2026-02-17

In the world of game server hosting, Pterodactyl is the undisputed king. But a synchronization gap between the management Panel and the remote Wings daemon created a zombie apocalypse scenario: SFTP sessions that refused to die. This vulnerability allowed malicious users to maintain full filesystem access to servers even after their accounts were deleted or passwords changed, turning a standard termination procedure into a race against a lingering, unauthorized open socket.

TL;DR

A critical logic flaw in Pterodactyl Panel < 1.12.1 allowed SFTP sessions to persist after user account deletion or password resets. Because the Panel failed to signal the Wings daemon to terminate active connections, a banned user with an open SFTP client could continue to read, write, or delete files indefinitely. The fix involves a new asynchronous revocation job that forcibly kills these sessions.

⚠️ Exploit Status: POC

Technical Details

• Vulnerability Type: Improper Session Handling / Auth Bypass
• Attack Vector: Network
• Confidentiality: High (File Access)
• Integrity: High (File Modification)
• Availability: High (Service Disruption via file deletion)
• CVSS Score: 7.5 (High)

Affected Systems

• Pterodactyl Panel < 1.12.1
• Wings Daemon (indirectly involved in session handling)
• Pterodactyl Panel: < 1.12.1 (Fixed in: 1.12.1)

Code Analysis

Commit: 0e74f3a

Fixes logic to revoke SFTP sessions on password change or account deletion

Added RevokeSftpAccessJob dispatch to UserDeletionService and UserUpdateService

Exploit Details

• Theory: Standard persistence via established TCP connection after auth revocation.

Mitigation Strategies

• Upgrade Pterodactyl Panel to v1.12.1+
• Restart Wings daemon manually after critical user deletions
• Monitor for long-running SFTP sessions

Remediation Steps:

1. Put the panel into maintenance mode: php artisan down
2. Pull the latest stable release via git or download the archive.
3. Run composer dependencies: composer install --no-dev --optimize-autoloader
4. Migrate the database: php artisan migrate
5. Restart queue workers to load the new Job classes: php artisan queue:restart
6. Bring the panel back online: php artisan up

References

• GitHub Advisory GHSA-hr7j-63v7-vj7g

Read the full report for GHSA-HR7J-63V7-VJ7G on our website for more details including interactive diagrams and full exploit analysis.