CVE-2026-40177
Published: 10 April 2026
Summary
CVE-2026-40177 is a critical-severity Improper Authentication (CWE-287) vulnerability in Ajenti Ajenti Plugin Core. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40177 is an authentication bypass vulnerability in the ajenti.plugin.core component of Ajenti, a web-based Linux system administration tool. In versions prior to 0.112, when two-factor authentication (2FA) is enabled, attackers can bypass password authentication entirely. The vulnerability is classified under CWE-287 (Improper Authentication) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, and significant integrity impact with no privileges required.
Any unauthenticated attacker with network access to the Ajenti instance can exploit this vulnerability without user interaction. By triggering the bypass when 2FA is activated, they can gain unauthorized access to the administrative interface, potentially allowing them to perform actions with the privileges of authenticated users and compromising system integrity.
The GitHub Security Advisory (GHSA-3mcx-6wxm-qr8v) confirms the issue and states that it is fixed in Ajenti version 0.112, recommending immediate upgrades to mitigate the risk. No additional workarounds are detailed in the provided information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21575
Vulnerability details
ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible to bypass the password authentication This vulnerability is fixed in 0.112.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in publicly accessible web admin tool enables direct exploitation of public-facing application for unauthorized access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw Remediation mandates timely patching of known vulnerabilities like CVE-2026-40177 by upgrading Ajenti to version 0.112, directly eliminating the authentication bypass.
Identification and Authentication (Organizational Users) requires implementation of robust multifactor authentication mechanisms without bypass flaws, addressing the improper 2FA handling in ajenti.plugin.core.
Access Enforcement ensures system mechanisms correctly enforce authentication decisions, mitigating unauthorized access from the password bypass when 2FA is enabled.