Cyber Resilience

CVE-2026-40177

Critical

Published: 10 April 2026

Published
10 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40177 is a critical-severity Improper Authentication (CWE-287) vulnerability in Ajenti Ajenti Plugin Core. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40177 is an authentication bypass vulnerability in the ajenti.plugin.core component of Ajenti, a web-based Linux system administration tool. In versions prior to 0.112, when two-factor authentication (2FA) is enabled, attackers can bypass password authentication entirely. The vulnerability is classified under CWE-287 (Improper Authentication) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, and significant integrity impact with no privileges required.

Any unauthenticated attacker with network access to the Ajenti instance can exploit this vulnerability without user interaction. By triggering the bypass when 2FA is activated, they can gain unauthorized access to the administrative interface, potentially allowing them to perform actions with the privileges of authenticated users and compromising system integrity.

The GitHub Security Advisory (GHSA-3mcx-6wxm-qr8v) confirms the issue and states that it is fixed in Ajenti version 0.112, recommending immediate upgrades to mitigate the risk. No additional workarounds are detailed in the provided information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in publicly accessible web admin tool enables direct exploitation of public-facing application for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27975Same vendor: Ajenti
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287

Affected Assets

ajenti
ajenti plugin core
≤ 0.112

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw Remediation mandates timely patching of known vulnerabilities like CVE-2026-40177 by upgrading Ajenti to version 0.112, directly eliminating the authentication bypass.

prevent

Identification and Authentication (Organizational Users) requires implementation of robust multifactor authentication mechanisms without bypass flaws, addressing the improper 2FA handling in ajenti.plugin.core.

prevent

Access Enforcement ensures system mechanisms correctly enforce authentication decisions, mitigating unauthorized access from the password bypass when 2FA is enabled.

References