A race condition within Ajenti’s core plugin creates a narrow window immediately after a user logs in during which the system fails to enforce the second factor. While the user remains authenticated, the missing token check allows an attacker with any valid credentials to operate without providing the additional authentication step. This flaw results in an unauthorized, persistent session that can be used to access the administration interface with elevated privileges.

All installations of Ajenti using the core plugin before version 0.112 are vulnerable. The affected product is the Ajenti core plugin, which manages the web‑based administration environment. Users running earlier releases should be aware that 2FA may be bypassed during the brief period after initial authentication.

The medium CVSS score of 6.9 reflects the potential for privilege escalation once a valid account is compromised. No EPSS score is available, and the flaw is not listed in the CISA Known Exploited Vulnerabilities catalogue. The likely attack path requires initial access to a legitimate user account and exploitation of the race window via the Ajenti web interface. The risk is elevated for systems exposed to untrusted networks where attackers can attempt repeated logins to trigger the condition.