Description
ajenti through v2.2.13 has a clickjacking weakness in the browser-facing login and administrative UI. In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list, forwards handler-added headers verbatim, and finalizes responses through WSGI start_response() without adding anti-framing protections such as X-Frame-Options or a Content-Security-Policy frame-ancestors restriction.
Published: 2026-07-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A clickjacking weakness exists in the browser-facing login and administrative UI of Ajenti versions up to 2.2.13. The web server does not add anti-framing protections such as the X‑Frame‑Options header or a Content‑Security‑Policy frame‑ancestors directive, allowing a malicious page to embed the interface in an invisible frame. An attacker can trick a logged‑in administrator into interacting with the frame, potentially causing unintended actions or credential leakage.

Affected Systems

Any installation of Ajenti with a version older than or equal to 2.2.13 is affected. This includes standard Ajenti deployments that use the default web interface and rely on the bundled ajenti-core components.

Risk and Exploitability

The vulnerability is client‑side and requires the user to load a malicious page that frames the Ajenti interface; no remote code execution is possible from the attack surface alone. Because the exploit requires a victim to visit a crafted site, the likelihood of wide exploitation is moderate, but the impact could be serious if administrators are targeted. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, but the absence of framing protections suggests a high potential for abuse in targeted scenarios.

Generated by OpenCVE AI on July 7, 2026 at 06:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ajenti to version 2.2.14 or newer, which includes the added anti‑framing headers.
  • If an upgrade is not immediately possible, manually configure the web server serving Ajenti to emit an X‑Frame‑Options: SAMEORIGIN header or a Content‑Security‑Policy: frame‑ancestors 'self' response for the affected URLs.
  • Ensure that all public‑facing Ajenti instances are restricted to secure, authenticated users and consider implementing network‑level controls to limit exposure to malicious web pages.

Generated by OpenCVE AI on July 7, 2026 at 06:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 06:45:00 +0000

Type Values Removed Values Added
Title Clickjacking Vulnerability in Ajenti Login and Administrative UI
Weaknesses CWE-1021

Mon, 06 Jul 2026 23:30:00 +0000

Type Values Removed Values Added
First Time appeared Ajenti
Ajenti ajenti
Vendors & Products Ajenti
Ajenti ajenti

Mon, 06 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description ajenti through v2.2.13 has a clickjacking weakness in the browser-facing login and administrative UI. In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list, forwards handler-added headers verbatim, and finalizes responses through WSGI start_response() without adding anti-framing protections such as X-Frame-Options or a Content-Security-Policy frame-ancestors restriction.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-07-06T21:28:41.104Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38979

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T06:30:16Z

Weaknesses
  • CWE-1021

    Improper Restriction of Rendered UI Layers or Frames