Any authenticated Ajenti user—regardless of privilege level—can install arbitrary system packages, effectively granting them root-equivalent capability on the managed server. If Ajenti administers AI/ML infrastructure (GPU nodes, model serving hosts, training environments), a compromised low-privilege account becomes a full system compromise vector. Upgrade to 2.2.15 immediately; there is no workaround short of disabling the package manager plugin.
What is the risk?
High severity despite absent CVSS vector. Exploitability is trivial for any valid account holder—no AI/ML knowledge required. The blast radius depends on what Ajenti manages: if it sits on AI infrastructure nodes (common in smaller orgs using it as a lightweight admin panel), an attacker can install backdoored Python packages, modify system dependencies for ML runtimes, or pivot laterally. The auth_users plugin is the default authentication method, making this a broad exposure. No active exploitation reported, but the primitive simplicity of the attack lowers the barrier significantly.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| ajenti-panel | pip | < 2.2.15 | 2.2.15 |
Do you use ajenti-panel? You're affected.
How severe is it?
What should I do?
6 steps-
Patch immediately: upgrade ajenti-panel to 2.2.15 (pip install --upgrade ajenti).
-
Audit package installation logs on all Ajenti-managed servers—check /var/log and Ajenti audit logs for unauthorized install events by non-superuser accounts.
-
Inventory all servers running Ajenti and cross-reference with AI/ML infrastructure inventory.
-
Enforce principle of least privilege: review which accounts have Ajenti access and remove unnecessary users.
-
If immediate patching is blocked, restrict Ajenti port access to specific admin IP ranges via firewall as a temporary control.
-
Rotate credentials for all Ajenti users as a precaution.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-35175?
Any authenticated Ajenti user—regardless of privilege level—can install arbitrary system packages, effectively granting them root-equivalent capability on the managed server. If Ajenti administers AI/ML infrastructure (GPU nodes, model serving hosts, training environments), a compromised low-privilege account becomes a full system compromise vector. Upgrade to 2.2.15 immediately; there is no workaround short of disabling the package manager plugin.
Is CVE-2026-35175 actively exploited?
No confirmed active exploitation of CVE-2026-35175 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-35175?
1. Patch immediately: upgrade ajenti-panel to 2.2.15 (pip install --upgrade ajenti). 2. Audit package installation logs on all Ajenti-managed servers—check /var/log and Ajenti audit logs for unauthorized install events by non-superuser accounts. 3. Inventory all servers running Ajenti and cross-reference with AI/ML infrastructure inventory. 4. Enforce principle of least privilege: review which accounts have Ajenti access and remove unnecessary users. 5. If immediate patching is blocked, restrict Ajenti port access to specific admin IP ranges via firewall as a temporary control. 6. Rotate credentials for all Ajenti users as a precaution.
What systems are affected by CVE-2026-35175?
This vulnerability affects the following AI/ML architecture patterns: AI/ML server infrastructure managed via Ajenti, Model serving hosts, Training pipeline nodes, Self-hosted LLM inference stacks, Jupyter/MLflow environments.
What is the CVSS score for CVE-2026-35175?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.001 Malicious Package AML.T0012 Valid Accounts AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
### Impact An authenticated user (using the `auth_users` plugin authentication method) could install a custom package even if this user is not superuser. ### Patches This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible.
Exploitation Scenario
An adversary with a low-privilege Ajenti account (obtained via phishing, credential stuffing, or insider threat) navigates to the package manager UI. They install a maliciously crafted Python package—published to PyPI under a typosquatted name resembling a common ML dependency—on a server running model inference workloads. The package executes a post-install hook that establishes a reverse shell or injects a backdoor into the site-packages directory, intercepting calls to the legitimate ML framework. The attacker now has persistent access to the ML environment, model weights, training data, and API keys stored on the server.
Weaknesses (CWE)
CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
- [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
- [Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Auth Bypass CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Auth Bypass CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain