AI Threat Alert
### Summary An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection. ### Details The account settings...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| Panel | composer | < 1.12.3 | 1.12.3 |
Do you use Panel? You're affected.
How severe is it?
What should I do?
Patch available
Update Panel to version 1.12.3
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is GHSA-j7f5-gfqm-pcx3?
### Summary An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection. ### Details The account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely. An attacker can capture the email update request (for example, using Burp Suite's proxy) and modify the email field to test arbitrary addresses. The panel's response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base. This is concerning because: - The login and password reset pages correctly implement protections against enumeration - The account page has no reCAPTCHA option available - No rate limiting exists in the panel for this endpoint - Authentication is required, but any valid account (including free tier/trial accounts) can exploit this ### PoC - Log into the Pterodactyl panel with any valid account - Navigate to Account Settings - Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it - Attempt to change your email address and capture the POST request - Send the captured request to Repeater - Modify the email field to test different addresses (e.g., admin@example.com, test@example.com) - Send multiple requests in rapid succession - Observe the response messages which confirm whether each email exists or not - Repeat indefinitely without encountering rate limits or CAPTCHA challenges ### Impact This is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy). Who is impacted: - All Pterodactyl panel installations are affected - Any registered user's email address can be discovered - Particularly impacts administrators and high-value accounts Potential consequences: - Attackers can build a complete database of registered users - Enumerated emails can be used for targeted phishing campaigns - Combined with other attacks (credential stuffing, social engineering) - Privacy violation for all users on the platform - Competitive intelligence gathering (identifying which companies/individuals use specific panels)
Is GHSA-j7f5-gfqm-pcx3 actively exploited?
No confirmed active exploitation of GHSA-j7f5-gfqm-pcx3 has been reported, but organizations should still patch proactively.
How to fix GHSA-j7f5-gfqm-pcx3?
Update to patched version: Panel 1.12.3.
What is the CVSS score for GHSA-j7f5-gfqm-pcx3?
No CVSS score has been assigned yet.
What are the technical details?
Original Advisory
### Summary An unprotected user enumeration vulnerability exists in the account email update endpoint, allowing authenticated users to verify whether email addresses are registered on the panel through automated requests without rate limiting or CAPTCHA protection. ### Details The account settings page allows authenticated users to update their email address through a POST request. Unlike the login and password reset forms which implement reCAPTCHA and rate limiting protections, this endpoint lacks these safeguards entirely. An attacker can capture the email update request (for example, using Burp Suite's proxy) and modify the email field to test arbitrary addresses. The panel's response will confirm whether each tested email is already registered in the system. Because there are no rate limits implemented, attackers can send hundreds or thousands of requests to enumerate the user base. This is concerning because: - The login and password reset pages correctly implement protections against enumeration - The account page has no reCAPTCHA option available - No rate limiting exists in the panel for this endpoint - Authentication is required, but any valid account (including free tier/trial accounts) can exploit this ### PoC - Log into the Pterodactyl panel with any valid account - Navigate to Account Settings - Open Burp Suite (or similar proxy tool) and configure your browser to proxy through it - Attempt to change your email address and capture the POST request - Send the captured request to Repeater - Modify the email field to test different addresses (e.g., admin@example.com, test@example.com) - Send multiple requests in rapid succession - Observe the response messages which confirm whether each email exists or not - Repeat indefinitely without encountering rate limits or CAPTCHA challenges ### Impact This is a user enumeration vulnerability (CWE-204: Observable Response Discrepancy). Who is impacted: - All Pterodactyl panel installations are affected - Any registered user's email address can be discovered - Particularly impacts administrators and high-value accounts Potential consequences: - Attackers can build a complete database of registered users - Enumerated emails can be used for targeted phishing campaigns - Combined with other attacks (credential stuffing, social engineering) - Privacy violation for all users on the platform - Competitive intelligence gathering (identifying which companies/individuals use specific panels)
Weaknesses (CWE)
CWE-204 — Observable Response Discrepancy: The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.
- [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
- [Implementation] Ensure that error messages only contain minimal details that are useful to the intended audience and no one else. The messages need to strike the balance between being too cryptic (which can confuse users) or being too detailed (which may reveal more than intended). The messages should not reveal the methods that were used to determine the error. Attackers can use detailed information to refine or optimize their original attack, thereby increasing their chances of success. If errors must be captured in some detail, record them in log messages, but consider what could occur if the log messages can be viewed by attackers. Highly sensitive information such as passwords should never be saved to log files. Avoid inconsistent messaging that might accidentally tip off an attacker about internal state, such as whether a user account exists or not.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2024-13152 10.0 Mobuy Panel: SQLi allows unauthenticated DB takeover
Same package: panel CVE-2026-47744 9.9 Shopper: RBAC bypass allows full admin takeover
Same package: panel CVE-2024-13147 9.8 B2B Login Panel: SQLi enables unauthenticated DB access
Same package: panel CVE-2024-5960 9.8 Panel: plaintext credential storage enables domain compromise
Same package: panel CVE-2025-14014 9.8 Smart Panel: unauthenticated file upload enables RCE
Same package: panel