Description
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112.
Published: 2026-04-10
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication bypass when two‑factor authentication is enabled
Action: Patch Now
AI Analysis

Impact

Ajenti’s core plugin prior to version 0.112 allowed an attacker to bypass the password check when two‑factor authentication was active. The flaw permits an attacker to gain entry to the administrative interface without legitimate credentials, exposing the system to full compromise. This vulnerability is a classic example of an authentication failure (CWE-287).

Affected Systems

All Ajenti installations running any version older than 0.112 are vulnerable. The flaw resides in the plugin that manages core authentication functionality, so any deployment of that plugin before the update is affected.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity risk. The EPSS score of < 1% indicates a low likelihood of exploitation. Although explicit exploitation metrics aren’t provided, the vulnerability’s nature suggests it can be exploited remotely through the web interface where username and password are submitted. It is not listed in the CISA Known Exploited Vulnerabilities catalog, but the absence of mitigations and the high score imply a significant threat. Attackers would need only to trigger the login flow with two‑factor enabled; the process is likely straightforward and does not require privileged access to the host.

Generated by OpenCVE AI on April 22, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ajenti to version 0.112 or later
  • If an upgrade cannot be performed immediately, temporarily disable two‑factor authentication until the patch is applied
  • Consider restricting network access to the Ajenti web interface to trusted hosts

Generated by OpenCVE AI on April 22, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3mcx-6wxm-qr8v ajenti.plugin.core has password bypass when 2FA is activated
History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Ajenti ajenti Plugin Core
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:ajenti:ajenti_plugin_core:*:*:*:*:*:*:*:*
Vendors & Products Ajenti ajenti Plugin Core
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Ajenti
Ajenti ajenti
Vendors & Products Ajenti
Ajenti ajenti

Fri, 10 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Description ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112.
Title Password bypass when 2FA is activated
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Ajenti Ajenti Ajenti Plugin Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:26:56.925Z

Reserved: 2026-04-09T20:59:17.619Z

Link: CVE-2026-40177

cve-icon Vulnrichment

Updated: 2026-04-14T13:26:53.879Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T20:16:22.970

Modified: 2026-04-21T19:31:16.883

Link: CVE-2026-40177

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T07:30:11Z

Weaknesses