Skip to main content

CtrlPanel 1.2.0 is here!

· 5 min read
1Day2Die
1Day2Die
Project Manager
MrWeez
MrWeez
Contribution Director & Maintainer
Simba
Simba
Maintainer

After nearly 10 months of development, we are ready to present version 1.2.0 as a stable release.

We want to be transparent with our community: version 1.1 was released prematurely, and we are not proud of that. It shipped with too many rough edges and took far longer to stabilize than it should have. We heard your frustration, and we took it seriously.

With 1.2.0, we made a commitment to not repeat that mistake. This release went through a full beta testing phase before reaching stable, and we are confident it reflects the quality our users deserve.

This update brings a large number of bug fixes, new features, and importantly, patches for several critical security vulnerabilities. We strongly urge every CtrlPanel user to upgrade as soon as possible. Do not wait for themes or addons to be updated first - running an outdated version puts both you and your clients at risk.

License Change

Starting with this release, CtrlPanel moves from AGPL 3.0 to the Mozilla Public License 2.0 (MPL 2.0).

We'll be honest - we didn't fully think through the implications of AGPL 3.0 when we adopted it. As we looked closer, we realized it was placing an unreasonable burden on our community - particularly on users running the panel and developers building third-party addons. The license was doing more harm than good, and that was never our intention.

MPL 2.0 is a more balanced license that still protects the project while giving the community the freedom it needs to grow.

As for previous versions - we are not officially relicensing them, but we have no intention of taking any action against AGPL 3.0 non-compliance in older releases. That said, compliance with MPL 2.0 is required for this version and all future releases - no exceptions.

A dedicated blog post covering all the details including what this means for addon and theme developers will be published tomorrow, April 25th.

Acknowledgements

This release would not have been possible without the help of our contributors and beta testers.

A special thank you to Simba and FerksFK for their contributions to the codebase, and to Maddigan for his invaluable work during beta testing - single-handedly tracking down the vast majority of bugs in this release.

We also want to thank everyone who responsibly disclosed security vulnerabilities that are patched in this release. Your names will be added to the Hall of Fame in our SECURITY.md once the CVE details are publicly disclosed.

Thank you to everyone else who contributed, reported issues, or helped test along the way. You are what keeps this project alive ❤️.

What's Changed

Bug Fixes

  • Fixed credits being displayed as 1000x their actual value in parts of the UI and API responses
  • Fixed the OOM Killer checkbox not saving its value
  • Fixed HTTP 500 on the admin overview page when the .git directory is missing
  • Fixed "Log back in" being unavailable to admins after using "Login as User"
  • Fixed potential referral system abuse through account deletion - deleted referrals are now visible to admins
  • Fixed php artisan route:cache failing due to duplicate route names
  • Fixed mass user notifications failing if one email address was rejected by the mail server
  • Fixed server creation flow allowing credits to be deducted even when server creation failed
  • Fixed allocation limit applying globally instead of per-node, which blocked server creation on all nodes when only one reached its limit
  • Fixed multiple coupons created via range function having their value saved as 1000x less than intended
  • Fixed manual email confirmation not triggering events, which prevented users from receiving their referral and email confirmation rewards
  • Fixed coupon application unlocking the payment button without a selected payment gateway
  • Fixed 100% off coupons not allowing users to claim a product for free without selecting a payment gateway
  • Fixed admins being unable to delete coupons
  • Fixed referral commission calculation returning incorrect amounts
  • Fixed regular users being able to view coupon and voucher-related logs
  • Fixed payment confirmation email formatting
  • Fixed broken installation caused by a database column type mismatch

New Features & Improvements

  • Added support for coupons with unlimited uses
  • Added "Minimum product price" setting for coupons
  • Added option to automatically delete expired vouchers and those that have reached their usage limit
  • Added ability for users to change or remove an applied coupon at checkout
  • Coupons are now temporarily reserved during checkout and only marked as used after a successful payment
  • Added ticket deletion confirmation prompt
  • Added a notification 3 days before server suspension when the user has insufficient credits
  • Added rate limiting for server creation to prevent abuse from repeated rapid requests
  • Added optional reason field for server and user moderation actions via the API
  • Added Ukrainian localization; extended Russian localization
  • Added ability to change thousand and decimal separators - either globally or per user based on their locale
  • Admins can now select all eggs in a nest by clicking the nest name in the product configuration list
  • Products now accept 0 as a value for unlimited resources
  • Products in the upgrade/downgrade list are now sorted by price
  • Removed the global minimum-credits setting - each product now defines its own minimum-credits value
  • Removed "Generate random codes" from the coupon edit page
  • Reordered settings items for better readability
  • Fully reworked payment gateways - admins must now configure webhook tokens per gateway
  • Redesigned the version info card on the overview page
  • Installer step can now be reset by adding ?reset to the URL, without needing DevTools or clearing site data
  • User creation command (php artisan make:user) now returns an error if the email or Pterodactyl ID is already in use

Fixed Vulnerabilities

info

Vulnerability details will be disclosed two weeks after the release date

  • CVE-2026-34234
  • CVE-2026-34358
  • CVE-2026-34246
  • CVE-2026-34216
  • CVE-2026-34241
  • CVE-2026-34233

This release also includes a number of internal bug fixes, performance improvements, and code refactors not listed above.
Full Changelog: https://github.com/Ctrlpanel-gg/panel/compare/1.1.1...1.2.0