CVE-2026-35202: Pterodactyl has a database resource limit bypass via race condition in Client API

May 26, 2026 (updated June 9, 2026)

The Pterodactyl Client API has a logic flaw that lets users bypass their assigned limits for database allocations. This happens because the database locking mechanism used in the controllers is totally broken and doesn’t actually lock anything.

References

github.com/advisories/GHSA-fgmm-w5cx-vrfw
github.com/pterodactyl/panel/security/advisories/GHSA-fgmm-w5cx-vrfw
nvd.nist.gov/vuln/detail/CVE-2026-35202

Code Behaviors & Features

Detect and mitigate CVE-2026-35202 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →