GHSA-J7F5-GFQM-PCX3
Vulnerability from github – Published: 2026-06-26 20:54 – Updated: 2026-06-26 20:54Summary
An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.
Details
The account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely. An attacker can capture the email update request (for example, using Burp Suite's proxy) and modify the email field to test arbitrary addresses. The panel's response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.
This is concerning because:
- The login and password reset pages correctly implement protections against enumeration
- The account page has no reCAPTCHA option available
- No rate limiting exists in the panel for this endpoint
- Authentication is required, but any valid account (including free tier/trial accounts) can exploit this
PoC
- Log into the Pterodactyl panel with any valid account
- Navigate to Account Settings
- Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it
- Attempt to change your email address and capture the POST request
- Send the captured request to Repeater
- Modify the email field to test different addresses (e.g., admin@example.com, test@example.com)
- Send multiple requests in rapid succession
- Observe the response messages which confirm whether each email exists or not
- Repeat indefinitely without encountering rate limits or CAPTCHA challenges
Impact
This is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).
Who is impacted:
- All Pterodactyl panel installations are affected
- Any registered user's email address can be discovered
- Particularly impacts administrators and high-value accounts
Potential consequences:
- Attackers can build a complete database of registered users
- Enumerated emails can be used for targeted phishing campaigns
- Combined with other attacks (credential stuffing, social engineering)
- Privacy violation for all users on the platform
- Competitive intelligence gathering (identifying which companies/individuals use specific panels)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "pterodactyl/panel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.12.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-204"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-26T20:54:38Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nAn unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.\n\n### Details\nThe account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely.\nAn attacker can capture the email update request (for example, using Burp Suite\u0027s proxy) and modify the email field to test arbitrary addresses. The panel\u0027s response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.\n\nThis is concerning because:\n\n- The login and password reset pages correctly implement protections against enumeration\n- The account page has no reCAPTCHA option available\n- No rate limiting exists in the panel for this endpoint\n- Authentication is required, but any valid account (including free tier/trial accounts) can exploit this\n\n### PoC\n- Log into the Pterodactyl panel with any valid account\n- Navigate to Account Settings\n- Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it\n- Attempt to change your email address and capture the POST request\n- Send the captured request to Repeater\n- Modify the email field to test different addresses (e.g., admin@example.com, test@example.com)\n- Send multiple requests in rapid succession\n- Observe the response messages which confirm whether each email exists or not \n- Repeat indefinitely without encountering rate limits or CAPTCHA challenges\n\n\n### Impact\nThis is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).\n\nWho is impacted:\n\n- All Pterodactyl panel installations are affected\n- Any registered user\u0027s email address can be discovered\n- Particularly impacts administrators and high-value accounts\n\nPotential consequences:\n\n- Attackers can build a complete database of registered users\n- Enumerated emails can be used for targeted phishing campaigns\n- Combined with other attacks (credential stuffing, social engineering)\n- Privacy violation for all users on the platform\n- Competitive intelligence gathering (identifying which companies/individuals use specific panels)",
"id": "GHSA-j7f5-gfqm-pcx3",
"modified": "2026-06-26T20:54:38Z",
"published": "2026-06-26T20:54:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pterodactyl/panel/security/advisories/GHSA-j7f5-gfqm-pcx3"
},
{
"type": "PACKAGE",
"url": "https://github.com/pterodactyl/panel"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.