Platform
python
Component
ajenti
Fixed in
0.112.1
0.112
CVE-2026-40177 describes a critical authentication bypass vulnerability affecting Ajenti versions 0.0.0 through 0.111. An attacker can bypass password authentication, even when two-factor authentication (2FA) is enabled, potentially gaining unauthorized access to the system. This vulnerability is fixed in version 0.112, and immediate upgrading is strongly recommended.
The impact of CVE-2026-40177 is significant. Successful exploitation allows an attacker to bypass the intended security measures of Ajenti, even with 2FA in place. This could lead to complete system compromise, including unauthorized access to sensitive data, modification of system configurations, and potential lateral movement within the network. The ability to bypass 2FA dramatically increases the severity of this vulnerability, as it circumvents a key security control. While the specific data at risk depends on the Ajenti configuration and the data it manages, the potential for broad access makes this a high-priority concern.
CVE-2026-40177 was publicly disclosed on 2026-04-10. As of this date, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV. The EPSS score is likely to be assessed as medium due to the critical CVSS score and the lack of public exploits, indicating a potential for exploitation if a PoC is developed.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40177 is to upgrade Ajenti to version 0.112 or later as soon as possible. If an immediate upgrade is not feasible due to compatibility issues or system downtime constraints, consider temporarily disabling 2FA as a short-term workaround, understanding that this significantly reduces security. Review Ajenti's access logs for any suspicious activity. There are no specific WAF rules or detection signatures readily available for this bypass, making prompt patching the most effective defense. After upgrading, confirm the fix by attempting to authenticate with 2FA enabled and verifying that the bypass is no longer possible.
Update the Ajenti plugin to version 0.112 or higher to mitigate the password bypass vulnerability when two-factor authentication (2FA) is enabled. This update corrects the issue by ensuring password authentication is performed correctly even with 2FA enabled.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40177 is a critical vulnerability in Ajenti versions 0.0.0 through 0.111 that allows attackers to bypass password authentication, even when 2FA is enabled, potentially granting unauthorized system access.
If you are running Ajenti versions 0.0.0 through 0.111, you are potentially affected by this vulnerability. Check your Ajenti version and upgrade immediately if necessary.
The recommended fix is to upgrade Ajenti to version 0.112 or later. If an immediate upgrade is not possible, consider temporarily disabling 2FA as a short-term workaround.
As of the current date, there are no confirmed reports of active exploitation of CVE-2026-40177, but the critical severity warrants immediate attention and patching.
Refer to the official Ajenti security advisory for detailed information and updates regarding CVE-2026-40177. (Note: Specific advisory URL not provided in input data.)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.