Description
Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the version 2.2.13.
Published: 2026-02-26
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in Ajenti’s access control permits an unauthenticated user to execute arbitrary code on a server that runs the panel. Because the panel is designed for privileged system management, code execution grants the attacker full control over the host, potentially compromising confidentiality, integrity, and availability. The weakness is a classic example of improper access control, which is recognized as CWE‑284.

Affected Systems

The vulnerability applies to all installations of the Ajenti server administration panel that are running a version older than 2.2.13. The affected stack includes Linux and BSD operating systems where Ajenti is deployed through its web‑based interface. The issue is resolved in Ajenti 2.2.13 and later releases.

Risk and Exploitability

The CVSS base score of 8.1 indicates a high level of risk, while the EPSS value of less than 1% suggests that exploitation attempts are rare or difficult to detect. The vulnerability is not currently listed in the CISA KEV catalog. The likely attack path involves a remote user accessing the Ajenti web interface without authentication, which can be achieved from any network location that can reach the panel’s listening port. The absence of authentication checks allows the attacker to send specially crafted requests that trigger arbitrary command execution.

Generated by OpenCVE AI on April 17, 2026 at 14:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Ajenti version 2.2.13 or later to remove the flaw.
  • Restrict access to the Ajenti web interface by limiting the list of IP addresses or subnet ranges that are allowed to connect, or by disabling the interface altogether if it is not needed.
  • Implement network segmentation or firewall rules to ensure that only trusted management networks can reach the Ajenti control plane, thereby reducing exposure to unauthenticated users.

Generated by OpenCVE AI on April 17, 2026 at 14:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ajenti:ajenti:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ajenti
Ajenti ajenti
Vendors & Products Ajenti
Ajenti ajenti

Thu, 26 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description Ajenti is a Linux and BSD modular server admin panel. Prior to version 2.2.13, an unauthenticated user could gain access to a server to execute arbitrary code on this server. This is fixed in the version 2.2.13.
Title Ajenti has a potential Remote Code Execution
Weaknesses CWE-284
References
Metrics cvssV4_0

{'score': 8.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Ajenti Ajenti
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T14:13:28.184Z

Reserved: 2026-02-25T03:24:57.793Z

Link: CVE-2026-27975

cve-icon Vulnrichment

Updated: 2026-02-26T14:34:48.524Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T03:16:05.130

Modified: 2026-03-02T17:24:59.513

Link: CVE-2026-27975

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:30:20Z

Weaknesses