Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Ajenti: Non-Admin Users Can Install Custom Packages
GHSA-73jv-44c3-j5p2
CVE-2026-35175
Summary
A user with a valid login can install custom packages without needing admin privileges. This is fixed in version 2.2.15. Upgrade to this version to fix the issue.
What to do
- Update ajenti-panel to version 2.2.15.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | ajenti-panel | <= 2.2.15 | 2.2.15 |
Original title
Ajenti has an authorization bypass during custom package installation
Original description
### Impact
An authenticated user (using the `auth_users` plugin authentication method) could install a custom package even if this user is not superuser.
### Patches
This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible.
An authenticated user (using the `auth_users` plugin authentication method) could install a custom package even if this user is not superuser.
### Patches
This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible.
ghsa CVSS4.0
7.2
Vulnerability type
CWE-862
Missing Authorization
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026