Vulnerability Database

357,869

Total vulnerabilities in the database

Pterodactyl Panel: Client email change endpoint allows enumeration of accounts in system — pterodactyl / panel

Observable Response Discrepancy

Summary

An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection.

Details

The account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely. An attacker can capture the email update request (for example, using Burp Suite's proxy) and modify the email field to test arbitrary addresses. The panel's response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base.

This is concerning because:

  • The login and password reset pages correctly implement protections against enumeration
  • The account page has no reCAPTCHA option available
  • No rate limiting exists in the panel for this endpoint
  • Authentication is required, but any valid account (including free tier/trial accounts) can exploit this

PoC

  • Log into the Pterodactyl panel with any valid account
  • Navigate to Account Settings
  • Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it
  • Attempt to change your email address and capture the POST request
  • Send the captured request to Repeater
  • Modify the email field to test different addresses (e.g., [email protected], [email protected])
  • Send multiple requests in rapid succession
  • Observe the response messages which confirm whether each email exists or not
  • Repeat indefinitely without encountering rate limits or CAPTCHA challenges

Impact

This is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy).

Who is impacted:

  • All Pterodactyl panel installations are affected
  • Any registered user's email address can be discovered
  • Particularly impacts administrators and high-value accounts

Potential consequences:

  • Attackers can build a complete database of registered users
  • Enumerated emails can be used for targeted phishing campaigns
  • Combined with other attacks (credential stuffing, social engineering)
  • Privacy violation for all users on the platform
  • Competitive intelligence gathering (identifying which companies/individuals use specific panels)
  • Published: Jun 26, 2026
  • Updated: Jun 27, 2026
  • GHSA: GHSA-j7f5-gfqm-pcx3
  • Severity: Medium
  • Exploit:
  • CISA KEV:

No technical information available.

CWEs:

Frequently Asked Questions

A security vulnerability is a weakness in software, hardware, or configuration that can be exploited to compromise confidentiality, integrity, or availability. Many vulnerabilities are tracked as CVEs (Common Vulnerabilities and Exposures), which provide a standardized identifier so teams can coordinate patching, mitigation, and risk assessment across tools and vendors.

CVSS (Common Vulnerability Scoring System) estimates technical severity, but it doesn't automatically equal business risk. Prioritize using context like internet exposure, affected asset criticality, known exploitation (proof-of-concept or in-the-wild), and whether compensating controls exist. A "Medium" CVSS on an exposed, production system can be more urgent than a "Critical" on an isolated, non-production host.

A vulnerability is the underlying weakness. An exploit is the method or code used to take advantage of it. A zero-day is a vulnerability that is unknown to the vendor or has no publicly available fix when attackers begin using it. In practice, risk increases sharply when exploitation becomes reliable or widespread.

Recurring findings usually come from incomplete Asset Discovery, inconsistent patch management, inherited images, and configuration drift. In modern environments, you also need to watch the software supply chain: dependencies, containers, build pipelines, and third-party services can reintroduce the same weakness even after you patch a single host. Unknown or unmanaged assets (often called Shadow IT) are a common reason the same issues resurface.

Use a simple, repeatable triage model: focus first on externally exposed assets, high-value systems (identity, VPN, email, production), vulnerabilities with known exploits, and issues that enable remote code execution or privilege escalation. Then enforce patch SLAs and track progress using consistent metrics so remediation is steady, not reactive.

SynScan combines attack surface monitoring and continuous security auditing to keep your inventory current, flag high-impact vulnerabilities early, and help you turn raw findings into a practical remediation plan.