Skip to main content

CVE-2026-35175

HIGH
Missing Authorization (CWE-862)
2026-04-03 https://github.com/ajenti/ajenti GHSA-73jv-44c3-j5p2
7.2
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Re-analysis Queued
Apr 20, 2026 - 18:37 vuln.today
cvss_changed
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 04:00 vuln.today
CVE Published
Apr 03, 2026 - 03:57 nvd
HIGH 7.2

DescriptionGitHub Advisory

Impact

An authenticated user (using the auth_users plugin authentication method) could install a custom package even if this user is not superuser.

Patches

This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible.

AnalysisAI

Privilege escalation in Ajenti panel allows authenticated non-superuser accounts to install arbitrary Python packages, bypassing role-based access controls. Affects installations using the auth_users plugin authentication method. Vendor-released patch available in version 2.2.15. No public exploit identified at time of analysis, though the privilege bypass mechanism is straightforward for authenticated users to abuse.

Technical ContextAI

Ajenti is a web-based server administration panel written in Python, distributed via PyPI as ajenti-panel. This vulnerability stems from CWE-862 (Missing Authorization), where the package installation functionality fails to properly verify whether the authenticated user possesses superuser privileges before executing sensitive operations. The auth_users plugin provides local authentication, and users authenticated through this method can access administrative functions that should be restricted to superuser roles. The flaw exists in the authorization layer rather than authentication-users must successfully authenticate, but subsequent privilege checks for package installation are either missing or improperly implemented. Python package installation in a web panel context is particularly sensitive as it can lead to arbitrary code execution on the underlying system.

RemediationAI

Upgrade to Ajenti panel version 2.2.15 or later immediately. The patched release is available from PyPI and can be installed via pip upgrade commands. Release details and changelog available at https://github.com/ajenti/ajenti/releases/tag/v2.2.15. For installations unable to upgrade immediately, implement compensating controls by limiting auth_users plugin usage to trusted administrators only, or temporarily disabling non-superuser accounts until patching is complete. Review audit logs for any unauthorized package installations that may have occurred prior to remediation. No workarounds exist that fully mitigate the authorization bypass without upgrading. Organizations should prioritize this upgrade in maintenance windows, particularly in multi-user environments. Vendor advisory provides authoritative guidance at https://github.com/ajenti/ajenti/security/advisories/GHSA-73jv-44c3-j5p2.

Share

CVE-2026-35175 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy