Platform
python
Component
ajenti
Fixed in
0.112.1
0.112
CVE-2026-40178 describes a Race Condition vulnerability discovered in Ajenti Web Panel. This flaw allows attackers to potentially bypass two-factor authentication (2FA) under specific circumstances, leading to unauthorized access. The vulnerability impacts versions 0.0.0 through 0.111 of Ajenti and has been resolved in version 0.112.
The core impact of CVE-2026-40178 lies in the potential circumvention of 2FA. If an attacker can exploit this race condition, they can gain access to an Ajenti user's account even if 2FA is enabled. This could lead to unauthorized modification of server configurations, access to sensitive data managed through the Ajenti panel, and potentially, further compromise of the underlying system. The window of opportunity for exploitation is brief, requiring precise timing, but the consequences of a successful bypass are significant.
As of the publication date (2026-04-10), there is no public proof-of-concept (POC) code available for CVE-2026-40178. The vulnerability's exploitation requires precise timing, which may limit its widespread adoption. It is not currently listed on the CISA KEV catalog. The probability of exploitation is considered low to medium, pending the release of a public exploit.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40178 is to immediately upgrade Ajenti Web Panel to version 0.112 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider implementing stricter access controls and monitoring login attempts for suspicious activity. While a direct workaround isn't available, enhanced logging and intrusion detection systems can help identify and respond to potential exploitation attempts. After upgrading, confirm the fix by attempting a login with 2FA enabled and verifying that the authentication process functions as expected.
Update the Ajenti Core plugin to version 0.112 or higher to mitigate the race condition vulnerability in two-factor authentication (2FA). This update corrects the issue that allowed authentication to be bypassed for a brief period after user authentication.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40178 is a Race Condition vulnerability in Ajenti Web Panel versions 0.0.0 through 0.111 that allows attackers to potentially bypass 2FA authentication.
Yes, if you are running Ajenti Web Panel versions 0.0.0 through 0.111, you are affected by this vulnerability.
Upgrade Ajenti Web Panel to version 0.112 or later to resolve this vulnerability. If immediate upgrade is not possible, implement stricter access controls and monitor login attempts.
As of the publication date, there is no confirmed active exploitation of CVE-2026-40178, but the potential exists.
Refer to the Ajenti project's official website or security advisories for the latest information regarding CVE-2026-40178.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.