CVE-2021-41176

logout CSRF in Pterodactyl Panel

Description

Pterodactyl is an open-source game server management panel built with PHP 7, React, and Go. In affected versions of Pterodactyl a malicious user can trigger a user logout if a signed in user visits a malicious website that makes a request to the Panel's sign-out endpoint. This requires a targeted attack against a specific Panel instance, and serves only to sign a user out. **No user details are leaked, nor is any user data affected, this is simply an annoyance at worst.** This is fixed in version 1.6.3.

Category

4.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.17%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: pterodactyl panel
Published at:
Updated at:

References

Link Tags
https://github.com/pterodactyl/panel/security/advisories/GHSA-m49f-hcxp-6hm6 third party advisory
https://github.com/pterodactyl/panel/commit/45999ba4ee1b2dcb12b4a2fa2cedfb6b5d66fac2 third party advisory patch
https://github.com/pterodactyl/panel/releases/tag/v1.6.3 third party advisory product

Frequently Asked Questions

What is the severity of CVE-2021-41176?
CVE-2021-41176 has been scored as a medium severity vulnerability.
How to fix CVE-2021-41176?
To fix CVE-2021-41176, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-41176 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-41176 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-41176?
CVE-2021-41176 affects pterodactyl panel.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.