A vulnerability in Pelican Panel’s /api/remote/* endpoints allows any valid node token (remote.token_id + remote.token) to access server data for servers hosted on other nodes. This effectively turns any node token into a global API key for all nodes.
Each Wings node in Pelican has unique tokens defined in wings/config.yml. These credentials should only allow access to servers physically assigned to that node.
However, during testing, I found that:
- Node-1’s token could be used to query and retrieve details for a server assigned to Node-2.
- The request was made to the Panel’s
/api/remote/servers/{uuid} endpoint, not directly to Wings.
- The Panel accepted the token without verifying that it matched the server’s assigned node.
This means token scope validation is missing or incorrect in the Panel’s remote API.
NaysKutzu Reporter
A vulnerability in Pelican Panel’s
/api/remote/*endpoints allows any valid node token (remote.token_id+remote.token) to access server data for servers hosted on other nodes. This effectively turns any node token into a global API key for all nodes.Each Wings node in Pelican has unique tokens defined in
wings/config.yml. These credentials should only allow access to servers physically assigned to that node.However, during testing, I found that:
/api/remote/servers/{uuid}endpoint, not directly to Wings.This means token scope validation is missing or incorrect in the Panel’s remote API.