CVE-2026-35202
Pterodactyl has a database resource limit bypass via race condition in Client API
Description
### Summary The Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn't actually lock anything. ### Details Inside `DatabaseController.php`, the code tries to prevent multiple databases from being created at once by calling `$server->databases()->lockForUpdate()`. In Laravel, this just configures a query builder but never actually sends a command to the database because it’s missing a terminal method like `count()` or `get()`. It’s basically a no-op that does nothing. Since there’s no real lock, multiple requests hitting the endpoint at the exact same time will all see that the database count is under the limit. They all move forward to the `DeployServerDatabaseService` and successfully create extra resources on the physical host. ### Impact Users are able to create more databases than they are supposed to, potentially also breaking the web interface.
How to fix CVE-2026-35202
To remediate CVE-2026-35202, upgrade the affected package to a fixed version below.
- —upgrade to 1.12.3 or later
Is CVE-2026-35202 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.12.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N |