GHSA-HR7J-63V7-VJ7G

Vulnerability from github – Published: 2026-02-17 17:15 – Updated: 2026-02-17 17:15
VLAI
Summary
Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change
Details

Summary

Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked. This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.

Details

When a user with SFTP access is deleted from the Pterodactyl Panel or when the user's password is changed while one or more SFTP connections are active, those existing connections remain fully functional.

Neither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.

This behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.

This suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.

PoC

Scenario 1: Account deletion 1. Create a user with SFTP access to a server. 2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla). 3. Keep the SFTP session open and active. 4. Delete the user account from the Pterodactyl Panel. 5. Continue performing file operations through the already-established SFTP connection.

Result: The SFTP session remains active and usable despite the user account being deleted.

Scenario 2: Password change 1. Create a user with SFTP access to a server. 2. Establish an active SFTP connection. 3. Change the user's password (including via administrator panel). 4. Continue performing file operations using the existing SFTP connection.

Result: The SFTP session remains active and usable even after the password has been changed.

Impact

This issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue

Impacted parties:

  1. Server administrators
  2. Hosting providers using Pterodactyl Panel

Security impact:

Deleted users may retain filesystem access longer than intended, which can lead to:

  1. Unauthorized data access
  2. Data modification or deletion
  3. Compliance and security policy violations
Severity
7.5 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "pterodactyl/panel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/pterodactyl/wings"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.12.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-284",
      "CWE-613"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-17T17:15:18Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nDeleting a user account with SFTP access or changing the user\u0027s password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.\nThis can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.\n\n\n### Details\nWhen a user with SFTP access is deleted from the Pterodactyl Panel or when the user\u0027s password is changed while one or more SFTP connections are active, those existing connections remain fully functional.\n\nNeither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.\n\nThis behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.\n\nThis suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.\n\n\n### PoC\nScenario 1: Account deletion\n1. Create a user with SFTP access to a server.\n2. Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla).\n3. Keep the SFTP session open and active.\n4. Delete the user account from the Pterodactyl Panel.\n5. Continue performing file operations through the already-established SFTP connection.\n\nResult:\nThe SFTP session remains active and usable despite the user account being deleted.\n\nScenario 2: Password change\n1. Create a user with SFTP access to a server.\n2. Establish an active SFTP connection.\n3. Change the user\u0027s password (including via administrator panel).\n4. Continue performing file operations using the existing SFTP connection.\n\nResult:\nThe SFTP session remains active and usable even after the password has been changed.\n\n\n### Impact\nThis issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue\n\nImpacted parties:\n\n1. Server administrators\n2. Hosting providers using Pterodactyl Panel\n\nSecurity impact:\n\nDeleted users may retain filesystem access longer than intended, which can lead to:\n\n1. Unauthorized data access\n2. Data modification or deletion\n3. Compliance and security policy violations",
  "id": "GHSA-hr7j-63v7-vj7g",
  "modified": "2026-02-17T17:15:19Z",
  "published": "2026-02-17T17:15:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pterodactyl/panel"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pterodactyl/panel/releases/tag/v1.12.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Pterodactyl Panel\u0027s SFTP sessions remain active after user account deletion or password change"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.