Auth bypass in Ajenti

CVE-2026-40177

ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112.

Vulnerability class: Broken Authentication

EPSS: 0.000 (4.9th percentile) — read the EPSS interpretation.

Affected products

Ajenti — versions < 0.112

Weakness classification (CWE)

CWE-287 — Improper Authentication

References

https://github.com/ajenti/ajenti/security/advisories/GHSA-3mcx-6wxm-qr8v (x_refsource_CONFIRM)