Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-38979

CVE-2026-38979: Ajenti Clickjacking Vulnerability

CVE-2026-38979 is a clickjacking vulnerability in Ajenti through v2.2.13 affecting the login and admin UI due to missing anti-framing protections. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-38979 Overview

CVE-2026-38979 is a clickjacking vulnerability in ajenti through version 2.2.13. The flaw resides in the browser-facing login and administrative user interface (UI). In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list and forwards handler-added headers verbatim through WSGI start_response(). The response finalization step does not add anti-framing protections such as X-Frame-Options or a Content-Security-Policyframe-ancestors directive. Attackers can embed the ajenti UI in an attacker-controlled frame to trick authenticated administrators into performing unintended actions [CWE-1021].

Critical Impact

An attacker who lures an authenticated administrator to a malicious page can frame the ajenti admin UI and hijack clicks to execute privileged actions.

Affected Products

  • ajenti through v2.2.13
  • ajenti-core aj/http.py HTTP response handler
  • ajenti login and administrative web UI

Discovery Timeline

  • 2026-07-06 - CVE-2026-38979 published to NVD
  • 2026-07-09 - Last updated in NVD database

Technical Details for CVE-2026-38979

Vulnerability Analysis

The vulnerability is an Improper Restriction of Rendered UI Layers or Frames issue [CWE-1021]. The ajenti HTTP response pipeline in ajenti-core/aj/http.py constructs response headers by iterating self.headers and passing the resulting list directly to start_response(). No default anti-framing headers are injected before the response is finalized. Because the login and administrative endpoints do not emit X-Frame-Options or a Content-Security-Policy: frame-ancestors directive, browsers permit the ajenti UI to render inside an <iframe> on any origin. The impact is limited to confidentiality and integrity of user-driven actions and requires user interaction, but no privileges or authentication on the attacker's side.

Root Cause

The root cause is missing default security headers in the WSGI response construction path. Handler code can add headers, but the framework itself does not guarantee framing protections, leaving every response unprotected unless a handler opts in.

Attack Vector

An attacker hosts a malicious page that loads the ajenti admin UI in a hidden or transparent iframe. A logged-in administrator visiting the page can be tricked into clicking overlaid UI elements. The clicks are delivered to ajenti in the administrator's authenticated session, triggering privileged operations.

python
# Security patch in ajenti-core/aj/http.py adding anti-framing headers
         status = self.status
         if isinstance(status, int):
             status = f'{status} '

        headers = []
        headers_keys = []

        for x,y in self.headers:
            headers.append((str(x), str(y)))
            headers_keys.append(str(x))

        if 'X-Frame-Options' not in headers_keys:
            headers.append(('X-Frame-Options', 'DENY'))
        if 'Content-Security-Policy' not in headers_keys:
            headers.append(('Content-Security-Policy', 'frame-ancestors \'self\';'))

         self.start_response(
             str(status),
            headers
         )

         def respond(self, status):

Source: GitHub Commit e54e838

Detection Methods for CVE-2026-38979

Indicators of Compromise

  • HTTP responses from ajenti endpoints missing X-Frame-Options and Content-Security-Policy: frame-ancestors headers.
  • Referer headers on authenticated ajenti requests pointing to unexpected third-party origins.
  • Unusual administrative actions performed shortly after an administrator visited an untrusted external site.

Detection Strategies

  • Scan ajenti HTTP responses for the presence of anti-framing headers and flag responses that lack them.
  • Correlate administrative action logs with browser referer or session metadata to spot cross-origin-initiated activity.
  • Perform authenticated web application scans against /, /view/login/normal, and other admin routes to confirm header coverage.

Monitoring Recommendations

  • Alert on ajenti versions at or below 2.2.13 in software inventory.
  • Monitor reverse proxy and WAF logs for iframe-loading patterns targeting ajenti hostnames.
  • Track configuration changes in ajenti audit logs for actions occurring outside expected administrator workflows.

How to Mitigate CVE-2026-38979

Immediate Actions Required

  • Upgrade ajenti past commit e54e838 once a fixed release is available, or apply the patch directly to ajenti-core/aj/http.py.
  • Restrict access to the ajenti administrative UI to trusted management networks or VPN clients.
  • Instruct administrators to log out of ajenti when not actively performing management tasks.

Patch Information

The upstream fix is committed in the ajenti repository. The patch modifies ajenti-core/aj/http.py to inject X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'self'; when handlers have not already set those headers. Review the GitHub commit e54e838 and the ajenti project repository for release status.

Workarounds

  • Terminate ajenti behind a reverse proxy that injects X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'self'; on every response.
  • Enforce SameSite=Strict cookies on the ajenti session cookie to blunt cross-site framing abuse.
  • Require administrators to use a dedicated browser profile for ajenti to reduce exposure to malicious third-party pages.
bash
# nginx reverse proxy example enforcing anti-framing headers for ajenti
server {
    listen 443 ssl;
    server_name ajenti.example.com;

    location / {
        proxy_pass https://127.0.0.1:8000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        add_header X-Frame-Options "DENY" always;
        add_header Content-Security-Policy "frame-ancestors 'self';" always;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.