Summary
Deleting a user account with SFTP access or changing the user's password does not immediately terminate existing SFTP sessions, allowing continued filesystem access after credentials are revoked.
This can result in unintended and unauthorized access to server files even after administrators believe access has been fully invalidated.
Details
When a user with SFTP access is deleted from the Pterodactyl Panel or when the user's password is changed while one or more SFTP connections are active, those existing connections remain fully functional.
Neither account deletion nor password change invalidates the authentication state of already-established SFTP sessions. As a result, the active SFTP connection pool continues to allow read and write operations until the client disconnects or the session times out.
This behavior occurs even when the password is changed by an administrator through the panel, meaning credential rotation does not revoke active access.
This suggests that active SFTP sessions are not tracked or forcefully terminated on credential revocation events. This effectively prevents administrators from responding to credential compromise incidents in real time.
PoC
Scenario 1: Account deletion
- Create a user with SFTP access to a server.
- Connect to the server via SFTP using any SFTP client (e.g. sftp, FileZilla).
- Keep the SFTP session open and active.
- Delete the user account from the Pterodactyl Panel.
- Continue performing file operations through the already-established SFTP connection.
Result:
The SFTP session remains active and usable despite the user account being deleted.
Scenario 2: Password change
- Create a user with SFTP access to a server.
- Establish an active SFTP connection.
- Change the user's password (including via administrator panel).
- Continue performing file operations using the existing SFTP connection.
Result:
The SFTP session remains active and usable even after the password has been changed.
Impact
This issue prevents immediate revocation of compromised credentials. Vulnerability type: Access control / session invalidation issue
Impacted parties:
- Server administrators
- Hosting providers using Pterodactyl Panel
Security impact:
Deleted users may retain filesystem access longer than intended, which can lead to:
- Unauthorized data access
- Data modification or deletion
- Compliance and security policy violations
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
pterodactyl/panel to 1.12.1 or later; github.com/pterodactyl/wings to 1.12.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-HR7J-63V7-VJ7G? GHSA-HR7J-63V7-VJ7G is a high-severity security vulnerability in pterodactyl/panel (composer), affecting versions < 1.12.1. It is fixed in 1.12.1.
- Which packages are affected by GHSA-HR7J-63V7-VJ7G?
pterodactyl/panel(composer) (versions < 1.12.1)github.com/pterodactyl/wings(go) (versions < 1.12.1)
- Is there a fix for GHSA-HR7J-63V7-VJ7G? Yes. GHSA-HR7J-63V7-VJ7G is fixed in 1.12.1. Upgrade to this version or later.
- Is GHSA-HR7J-63V7-VJ7G exploitable, and should I be worried? Whether GHSA-HR7J-63V7-VJ7G is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-HR7J-63V7-VJ7G is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-HR7J-63V7-VJ7G?
- Upgrade
pterodactyl/panelto 1.12.1 or later - Upgrade
github.com/pterodactyl/wingsto 1.12.1 or later
- Upgrade