Pterodactyl v1.12.0 Update

The Pterodactyl v1.12 update is a focused release that tightens security, fixes long standing edge cases, and smooths out several rough spots across the Panel and Wings. While there are no flashy new features, this update puts a lot of attention where it matters most: correctness, predictability, and safety in day to day operations.

The most important part of v1.12 is the resolution of three security vulnerabilities, two of which are now fully disclosed.

This issue affected the SFTP subsystem used to access server files. Previously, if a user was already connected over SFTP and then removed from a server or had their file permissions reduced, that existing connection would remain active. Because permissions were only checked during the initial authentication handshake, the connection would persist until the user disconnected or Wings restarted.

The impact was limited to the affected server’s filesystem. There was no exposure of Wings internals or other servers, and the user had to already be connected at the time permissions were changed. Still, this behavior was not acceptable.

In v1.12, this is fully resolved. Active SFTP sessions are now properly invalidated when permissions change. Upgrading both [email protected] and [email protected] is the recommended fix.

A flaw in the 2FA flow allowed a valid TOTP token to be reused during its short validity window. If an attacker already had a username and password, and managed to intercept a token, that same token could be used again within roughly 60 seconds.

This update ensures tokens are correctly marked as used, closing that window entirely.

This CVE has not yet been publicly disclosed, but it is addressed in v1.12. As with the others, upgrading is the safest path forward.

Beyond security, v1.12 resolves a wide range of issues that many administrators and users have run into over time.

Scheduled tasks now respect their configured cron syntax instead of running every minute. Undoing changes in the file editor using Ctrl+Z no longer wipes the initial file contents. Uploading 0-byte files no longer results in an error. Allocation notes are properly cleared when servers are deleted, and node descriptions can once again be set through the API.

Several confusing or incorrect behaviors were also cleaned up, including misleading error messages when an admin tried to delete their own account, nodes displaying the wrong location when not edited, and a missing HttpForbiddenException import that could break backup status checks.

This release also modernizes parts of the stack and makes some intentional behavior changes.

The minimum NodeJS version for building is now 22, and JavaScript and PHP dependencies have been updated where possible. IBM Plex Sans is bundled locally instead of being loaded from Google CDNs, reducing external dependencies.

On the API side, the client endpoint for disabling 2FA has changed to a POST request, and administrators are now listed first when viewing all users. Upload size limits on nodes are no longer capped at 1024MB and can be set to any positive integer value.

There are also quality of life improvements under the hood. Websockets no longer endlessly retry when a connection should not be reattempted, and control characters in egg stop configurations no longer rewrite themselves into defaults.

Pterodactyl v1.12 is not about big features, but it is an important release. It closes real security gaps, fixes behavior that could lead to data loss or confusion, and makes the platform more predictable for both users and administrators.

If you are running an older version, upgrading should be considered a priority, especially to address the SFTP and 2FA vulnerabilities. This update reinforces the foundation that future releases will build on, and it makes everyday management just a little more reliable.