AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-fgmm-w5cx-vrfw: Pterodactyl has a database resource limit bypass via race condition in Client API

lowvulnerability

security

Source: GitHub Advisory DatabaseMay 26, 2026CVE-2026-35202

Summary

Pterodactyl's Client API has a race condition (a security flaw where multiple requests happening simultaneously interfere with each other) that allows users to create more databases than their assigned limit. The vulnerability exists because the database locking mechanism in the code calls a Laravel function that doesn't actually lock anything, since it's missing a required terminal method like count() or get().

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 26, 2026

Classification

Attack SophisticationModerate

Affected Vendors

Affected Packages

pterodactyl/panel@< 1.12.3 (fixed: 1.12.3)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-fgmm-w5cx-vrfw

First tracked: May 26, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%