CVE intelligence and bounded remediation
CVE-2023-32080 — Wings is the server control plane for Pterodactyl Panel
Wings is the server control plane for Pterodactyl Panel. A vulnerability affecting versions prior to 1.7.5 and versions 1.11.0 prior to 1.11.6 impacts anyone running the affected versions of Wings. This vulnerability can be used to gain access to the host system running Wings if a user is able to modify an server's install script or the install script executes code supplied by the user (either through environment variables, or commands that execute commands based off of user data). This vulnerability has been resolved in version `v1.11.6` of Wings, and has been back-ported to the 1.7 release series in `v1.7.5`. Anyone running `v1.11.x` should upgrade to `v1.11.6` and anyone running `v1.7.x` should upgrade to `v1.7.5`. There are no workarounds aside from upgrading. Running Wings with a rootless container runtime may mitigate the severity of any attacks, however the majority of users are using container runtimes that run as root as per the Wings documentation. SELinux may prevent attackers from performing certain operations against the host system, however privileged containers have a lot of freedom even on systems with SELinux enabled. It should be noted that this was a known attac…
- Severity
- Critical
- CVSS
- 9 (3.1)
- Published
- 2023-05-10
- CISA KEV
- Not currently listed
- Ecosystem
- software/application
- Weaknesses
- CWE-250
Affected products
- pterodactyl / wings
Matched remediation archetype
Privilege escalation and unsafe privilege management
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Map service accounts, operating-system identities, roles, capabilities, impersonation, set-user transitions, and administrative helper paths.
- Determine whether untrusted users or lower-privilege processes can reach the affected transition or modify inputs it trusts.
- Review file, socket, registry, device, job, container, and cloud-role permissions used before and after privilege changes.
Remediate safely
- Apply the supported fix and redesign privileged operations as a minimal, authenticated, allowlisted interface.
- Drop privileges before processing untrusted input, verify the drop succeeds, and remove unnecessary roles, capabilities, and write permissions.
- Validate ownership and permissions at time of use and add explicit lower-to-higher privilege boundary tests.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.