CVE-2026-35175 Overview
CVE-2026-35175 is an authorization bypass vulnerability in Ajenti, a modular server administration panel for Linux and BSD systems. Prior to version 2.2.15, an authenticated user utilizing the auth_users plugin authentication method could install custom packages even without superuser privileges. This vulnerability allows non-privileged authenticated users to bypass authorization controls and perform administrative actions that should be restricted to superuser accounts only.
Critical Impact
Authenticated users without superuser privileges can install arbitrary custom packages, potentially leading to system compromise, privilege escalation, or installation of malicious software on managed servers.
Affected Products
- Ajenti versions prior to 2.2.15
- Linux systems running vulnerable Ajenti installations
- BSD systems running vulnerable Ajenti installations
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-35175 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-35175
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization). The core issue lies in Ajenti's failure to properly verify that a user has superuser privileges before allowing package installation operations. When authenticated through the auth_users plugin, the authorization check for package installation functionality is either missing or improperly implemented, allowing any authenticated user to access this privileged functionality.
The network-accessible nature of this vulnerability means that any authenticated user with network access to the Ajenti panel can exploit this flaw. The attack requires low privileges (just basic authentication) and no user interaction, making it relatively easy to exploit once an attacker has any level of authenticated access to the system.
Root Cause
The root cause of CVE-2026-35175 is a missing authorization check (CWE-862) in the package installation functionality of Ajenti. The application fails to validate whether the authenticated user possesses superuser privileges before permitting package installation operations. This authorization gap allows standard authenticated users to perform actions that should be restricted to administrators only.
Attack Vector
The attack vector for this vulnerability is network-based and requires low-privilege authenticated access. An attacker who has obtained valid credentials for a non-superuser account on an Ajenti installation can exploit this vulnerability by:
- Authenticating to the Ajenti panel using valid non-superuser credentials
- Accessing the package installation functionality through the web interface
- Installing custom packages without proper authorization verification
- Potentially using installed packages to escalate privileges or compromise the system
The vulnerability does not require any user interaction and can be exploited with low complexity. See the GitHub Security Advisory GHSA-73jv-44c3-j5p2 for additional technical details.
Detection Methods for CVE-2026-35175
Indicators of Compromise
- Unexpected package installations on systems managed by Ajenti
- Package installation logs showing activity from non-superuser accounts
- Audit logs indicating package management API calls from unauthorized users
- Presence of unfamiliar or suspicious packages on managed systems
Detection Strategies
- Monitor Ajenti application logs for package installation requests from non-superuser accounts
- Implement web application firewall rules to detect unusual package installation API calls
- Review system package management logs (apt, yum, pkg) for unexpected installations
- Deploy endpoint detection to identify unauthorized software installations
Monitoring Recommendations
- Enable verbose logging in Ajenti to capture all administrative actions
- Set up alerts for package installation events on production systems
- Regularly audit installed packages against approved baselines
- Monitor network traffic to Ajenti for suspicious API requests
How to Mitigate CVE-2026-35175
Immediate Actions Required
- Upgrade Ajenti to version 2.2.15 or later immediately
- Review user accounts and remove unnecessary access privileges
- Audit recent package installations for any unauthorized or suspicious packages
- Restrict network access to Ajenti administrative interfaces
Patch Information
The vulnerability has been fixed in Ajenti version 2.2.15. Organizations should upgrade to this version or later to remediate the vulnerability. The patch can be obtained from the official Ajenti GitHub releases page.
Workarounds
- Restrict Ajenti access to trusted networks only using firewall rules
- Limit authenticated user accounts to only those requiring administrative access
- Implement additional network-level authentication (VPN) before accessing Ajenti
- Monitor and audit all package installation activities manually until patching is complete
# Configuration example - Restrict Ajenti access via firewall
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 8000 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
# Upgrade Ajenti to patched version
pip install ajenti>=2.2.15
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
