GHSA-hr7j-63v7-vj7g: Pterodactyl Panel's SFTP sessions remain active after user account deletion or password change

February 17, 2026

Deleting a user account with SFTP access or changing the user’s password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked. This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.

References

github.com/advisories/GHSA-hr7j-63v7-vj7g
github.com/pterodactyl/panel
github.com/pterodactyl/panel/commit/0e74f3aadec89405751ec602c77fc1d030a417c0
github.com/pterodactyl/panel/releases/tag/v1.12.1
github.com/pterodactyl/panel/security/advisories/GHSA-hr7j-63v7-vj7g

Code Behaviors & Features

Detect and mitigate GHSA-hr7j-63v7-vj7g with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →