Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35175

CVE-2026-35175: Ajenti Auth Bypass Vulnerability

CVE-2026-35175 is an authentication bypass flaw in Ajenti server admin panel that allows authenticated non-superusers to install custom packages. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-35175 Overview

CVE-2026-35175 is an authorization bypass vulnerability in Ajenti, a modular server administration panel for Linux and BSD systems. Prior to version 2.2.15, an authenticated user utilizing the auth_users plugin authentication method could install custom packages even without superuser privileges. This vulnerability allows non-privileged authenticated users to bypass authorization controls and perform administrative actions that should be restricted to superuser accounts only.

Critical Impact

Authenticated users without superuser privileges can install arbitrary custom packages, potentially leading to system compromise, privilege escalation, or installation of malicious software on managed servers.

Affected Products

  • Ajenti versions prior to 2.2.15
  • Linux systems running vulnerable Ajenti installations
  • BSD systems running vulnerable Ajenti installations

Discovery Timeline

  • 2026-04-06 - CVE CVE-2026-35175 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-35175

Vulnerability Analysis

This vulnerability is classified as CWE-862 (Missing Authorization). The core issue lies in Ajenti's failure to properly verify that a user has superuser privileges before allowing package installation operations. When authenticated through the auth_users plugin, the authorization check for package installation functionality is either missing or improperly implemented, allowing any authenticated user to access this privileged functionality.

The network-accessible nature of this vulnerability means that any authenticated user with network access to the Ajenti panel can exploit this flaw. The attack requires low privileges (just basic authentication) and no user interaction, making it relatively easy to exploit once an attacker has any level of authenticated access to the system.

Root Cause

The root cause of CVE-2026-35175 is a missing authorization check (CWE-862) in the package installation functionality of Ajenti. The application fails to validate whether the authenticated user possesses superuser privileges before permitting package installation operations. This authorization gap allows standard authenticated users to perform actions that should be restricted to administrators only.

Attack Vector

The attack vector for this vulnerability is network-based and requires low-privilege authenticated access. An attacker who has obtained valid credentials for a non-superuser account on an Ajenti installation can exploit this vulnerability by:

  1. Authenticating to the Ajenti panel using valid non-superuser credentials
  2. Accessing the package installation functionality through the web interface
  3. Installing custom packages without proper authorization verification
  4. Potentially using installed packages to escalate privileges or compromise the system

The vulnerability does not require any user interaction and can be exploited with low complexity. See the GitHub Security Advisory GHSA-73jv-44c3-j5p2 for additional technical details.

Detection Methods for CVE-2026-35175

Indicators of Compromise

  • Unexpected package installations on systems managed by Ajenti
  • Package installation logs showing activity from non-superuser accounts
  • Audit logs indicating package management API calls from unauthorized users
  • Presence of unfamiliar or suspicious packages on managed systems

Detection Strategies

  • Monitor Ajenti application logs for package installation requests from non-superuser accounts
  • Implement web application firewall rules to detect unusual package installation API calls
  • Review system package management logs (apt, yum, pkg) for unexpected installations
  • Deploy endpoint detection to identify unauthorized software installations

Monitoring Recommendations

  • Enable verbose logging in Ajenti to capture all administrative actions
  • Set up alerts for package installation events on production systems
  • Regularly audit installed packages against approved baselines
  • Monitor network traffic to Ajenti for suspicious API requests

How to Mitigate CVE-2026-35175

Immediate Actions Required

  • Upgrade Ajenti to version 2.2.15 or later immediately
  • Review user accounts and remove unnecessary access privileges
  • Audit recent package installations for any unauthorized or suspicious packages
  • Restrict network access to Ajenti administrative interfaces

Patch Information

The vulnerability has been fixed in Ajenti version 2.2.15. Organizations should upgrade to this version or later to remediate the vulnerability. The patch can be obtained from the official Ajenti GitHub releases page.

Workarounds

  • Restrict Ajenti access to trusted networks only using firewall rules
  • Limit authenticated user accounts to only those requiring administrative access
  • Implement additional network-level authentication (VPN) before accessing Ajenti
  • Monitor and audit all package installation activities manually until patching is complete
bash
# Configuration example - Restrict Ajenti access via firewall
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP

# Upgrade Ajenti to patched version
pip install ajenti>=2.2.15

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.