Cross-Site Request Forgery (CSRF) in pterodactyl/panel


Reported on

Nov 15th 2021


Following state-changing endpoints are vulnerable to CSRF:

1: GET /admin/nodes/view/1/settings/token (auto-generates token when token not generated yet)

2: GET /admin/settings/mail/test (The X-CSRF-Token header for the API request is not validated on backend, should be a POST request to make things easy imo)

Proof of Concept

<a href="http://[pterodactyl-url]/admin/settings/mail/test">CLICK ME!</a>
<a href="http://[pterodactyl-url]/admin/nodes/view/1/settings/token">CLICK ME!</a>


This vulnerability is capable of tricking admin users to spam unwanted test emails to admin user / token generation


generate token frontend

test mail api

test mail frontend

generate token api

test mail backend (x-csrf-token not validated)

We are processing your report and will contact the pterodactyl/panel team within 24 hours. a year ago
haxatron modified the report
a year ago
We have contacted a member of the pterodactyl/panel team and are waiting to hear back a year ago
Dane Everitt validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dane Everitt marked this as fixed with commit bf9cbe a year ago
Dane Everitt has been awarded the fix bounty
This vulnerability will not receive a CVE
admin.php#L156 has been validated
admin.php#L69 has been validated
mail.blade.php#L137L161 has been validated
MailController.php#L110L120 has been validated
a year ago


Dear @admin, please remove CVE as per maintainers wishes in this report

Dane Everitt
a year ago


@admin please do not create a CVE, this project uses GitHub for security alerting and CVE handling.

a year ago


I have informed @admin via Discord. There is a delay between report validation and CVE creation, so not to worry.

Jamie Slome
a year ago


@daneeveritt - we have removed the CVE from this report.

to join this conversation