CVE-2026-40178 PUBLISHED

ajenti.plugin.core has a race conditions in 2FA

Assigner: GitHub_M
Reserved: 09.04.2026 Published: 10.04.2026 Updated: 10.04.2026

ajenti.plugin.core defines all necessary core elements to allow Ajenti to run properly. Prior to 0.112, if the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication. This vulnerability is fixed in 0.112.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U
CVSS Score: 6.9

Product Status

Vendor ajenti
Product ajenti
Versions
  • Version < 0.112 is affected

References

Problem Types

  • CWE-287: Improper Authentication CWE
  • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE