CVE-2026-40178

MEDIUM

ajenti.plugin.core has a race conditions in 2FA

Title source: cna

Description

ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. This vulnerability is fixed in 0.112.

References (1)

[X_Refsource_Confirm] https://github.com/ajenti/ajenti/security/advisories/GHSA-8647-755q-fw9p

Scores

CVSS v3 5.9

EPSS 0.0002

EPSS Percentile 5.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287 CWE-362

Status published

Products (3)

ajenti/ajenti < 0.112

ajenti/ajenti_plugin_core < 0.112

pypi/ajenti.plugin.core 0 - 0.112PyPI

Published Apr 10, 2026

Tracked Since Apr 11, 2026