CVE-2026-35175
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
An authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser.
Patches
This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible.
AnalysisAI
Privilege escalation in Ajenti panel allows authenticated non-superuser accounts to install arbitrary Python packages, bypassing role-based access controls. Affects installations using the auth_users plugin authentication method. Vendor-released patch available in version 2.2.15. No public exploit identified at time of analysis, though the privilege bypass mechanism is straightforward for authenticated users to abuse.
Technical ContextAI
Ajenti is a web-based server administration panel written in Python, distributed via PyPI as ajenti-panel. This vulnerability stems from CWE-862 (Missing Authorization), where the package installation functionality fails to properly verify whether the authenticated user possesses superuser privileges before executing sensitive operations. The auth_users plugin provides local authentication, and users authenticated through this method can access administrative functions that should be restricted to superuser roles. The flaw exists in the authorization layer rather than authentication-users must successfully authenticate, but subsequent privilege checks for package installation are either missing or improperly implemented. Python package installation in a web panel context is particularly sensitive as it can lead to arbitrary code execution on the underlying system.
RemediationAI
Upgrade to Ajenti panel version 2.2.15 or later immediately. The patched release is available from PyPI and can be installed via pip upgrade commands. Release details and changelog available at https://github.com/ajenti/ajenti/releases/tag/v2.2.15. For installations unable to upgrade immediately, implement compensating controls by limiting auth_users plugin usage to trusted administrators only, or temporarily disabling non-superuser accounts until patching is complete. Review audit logs for any unauthorized package installations that may have occurred prior to remediation. No workarounds exist that fully mitigate the authorization bypass without upgrading. Organizations should prioritize this upgrade in maintenance windows, particularly in multi-user environments. Vendor advisory provides authoritative guidance at https://github.com/ajenti/ajenti/security/advisories/GHSA-73jv-44c3-j5p2.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-73jv-44c3-j5p2