GHSA-J7F5-GFQM-PCX3

GHSA-J7F5-GFQM-PCX3 is a medium-severity security vulnerability in pterodactyl/panel (composer), affecting versions < 1.12.3. It is fixed in 1.12.3.

Summary

An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.

Details

The account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely.
An attacker can capture the email update request (for example, using Burp Suite's proxy) and modify the email field to test arbitrary addresses. The panel's response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.

This is concerning because:

  • The login and password reset pages correctly implement protections against enumeration
  • The account page has no reCAPTCHA option available
  • No rate limiting exists in the panel for this endpoint
  • Authentication is required, but any valid account (including free tier/trial accounts) can exploit this

PoC

  • Log into the Pterodactyl panel with any valid account
  • Navigate to Account Settings
  • Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it
  • Attempt to change your email address and capture the POST request
  • Send the captured request to Repeater
  • Modify the email field to test different addresses (e.g., [email protected], [email protected])
  • Send multiple requests in rapid succession
  • Observe the response messages which confirm whether each email exists or not
  • Repeat indefinitely without encountering rate limits or CAPTCHA challenges

Impact

This is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).

Who is impacted:

  • All Pterodactyl panel installations are affected
  • Any registered user's email address can be discovered
  • Particularly impacts administrators and high-value accounts

Potential consequences:

  • Attackers can build a complete database of registered users
  • Enumerated emails can be used for targeted phishing campaigns
  • Combined with other attacks (credential stuffing, social engineering)
  • Privacy violation for all users on the platform
  • Competitive intelligence gathering (identifying which companies/individuals use specific panels)

Affected versions

pterodactyl/panel (< 1.12.3)

Security releases

pterodactyl/panel → 1.12.3 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade pterodactyl/panel to 1.12.3 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is GHSA-J7F5-GFQM-PCX3? GHSA-J7F5-GFQM-PCX3 is a medium-severity security vulnerability in pterodactyl/panel (composer), affecting versions < 1.12.3. It is fixed in 1.12.3.
  2. Which versions of pterodactyl/panel are affected by GHSA-J7F5-GFQM-PCX3? pterodactyl/panel (composer) versions < 1.12.3 is affected.
  3. Is there a fix for GHSA-J7F5-GFQM-PCX3? Yes. GHSA-J7F5-GFQM-PCX3 is fixed in 1.12.3. Upgrade to this version or later.
  4. Is GHSA-J7F5-GFQM-PCX3 exploitable, and should I be worried? Whether GHSA-J7F5-GFQM-PCX3 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether GHSA-J7F5-GFQM-PCX3 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix GHSA-J7F5-GFQM-PCX3? Upgrade pterodactyl/panel to 1.12.3 or later.

Other vulnerabilities in pterodactyl/panel

CVE-2026-35202CVE-2026-26016CVE-2025-69198CVE-2025-69197CVE-2025-68954

Stop the waste.
Protect your environment with Kodem.