CVE-2026-35175 — HIGH | AI Threat Alert

Q: Is CVE-2026-35175 actively exploited?

No confirmed active exploitation of CVE-2026-35175 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-35175?

1. Patch immediately: upgrade ajenti-panel to 2.2.15 (pip install --upgrade ajenti). 2. Audit package installation logs on all Ajenti-managed servers—check /var/log and Ajenti audit logs for unauthorized install events by non-superuser accounts. 3. Inventory all servers running Ajenti and cross-reference with AI/ML infrastructure inventory. 4. Enforce principle of least privilege: review which accounts have Ajenti access and remove unnecessary users. 5. If immediate patching is blocked, restrict Ajenti port access to specific admin IP ranges via firewall as a temporary control. 6. Rotate credentials for all Ajenti users as a precaution.

Q: What systems are affected by CVE-2026-35175?

This vulnerability affects the following AI/ML architecture patterns: AI/ML server infrastructure managed via Ajenti, Model serving hosts, Training pipeline nodes, Self-hosted LLM inference stacks, Jupyter/MLflow environments.

Q: What is the CVSS score for CVE-2026-35175?

No CVSS score has been assigned yet.

CISO Take

Any authenticated Ajenti user—regardless of privilege level—can install arbitrary system packages, effectively granting them root-equivalent capability on the managed server. If Ajenti administers AI/ML infrastructure (GPU nodes, model serving hosts, training environments), a compromised low-privilege account becomes a full system compromise vector. Upgrade to 2.2.15 immediately; there is no workaround short of disabling the package manager plugin.

What is the risk?

High severity despite absent CVSS vector. Exploitability is trivial for any valid account holder—no AI/ML knowledge required. The blast radius depends on what Ajenti manages: if it sits on AI infrastructure nodes (common in smaller orgs using it as a lightweight admin panel), an attacker can install backdoored Python packages, modify system dependencies for ML runtimes, or pivot laterally. The auth_users plugin is the default authentication method, making this a broad exposure. No active exploitation reported, but the primitive simplicity of the attack lowers the barrier significantly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
ajenti-panel	pip	< 2.2.15	`2.2.15`

Do you use ajenti-panel? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Patch immediately: upgrade ajenti-panel to 2.2.15 (pip install --upgrade ajenti).
Audit package installation logs on all Ajenti-managed servers—check /var/log and Ajenti audit logs for unauthorized install events by non-superuser accounts.
Inventory all servers running Ajenti and cross-reference with AI/ML infrastructure inventory.
Enforce principle of least privilege: review which accounts have Ajenti access and remove unnecessary users.
If immediate patching is blocked, restrict Ajenti port access to specific admin IP ranges via firewall as a temporary control.
Rotate credentials for all Ajenti users as a precaution.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Supply Chain Code Execution Framework Plugin AML.T0010.001 - AI Software AML.T0011.001 - Malicious Package AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.3 - Access control to AI systems

NIST AI RMF

GOVERN 1.7 - Processes for vulnerability disclosure and incident response MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM08:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-35175?

Any authenticated Ajenti user—regardless of privilege level—can install arbitrary system packages, effectively granting them root-equivalent capability on the managed server. If Ajenti administers AI/ML infrastructure (GPU nodes, model serving hosts, training environments), a compromised low-privilege account becomes a full system compromise vector. Upgrade to 2.2.15 immediately; there is no workaround short of disabling the package manager plugin.

Is CVE-2026-35175 actively exploited?

No confirmed active exploitation of CVE-2026-35175 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-35175?

1. Patch immediately: upgrade ajenti-panel to 2.2.15 (pip install --upgrade ajenti). 2. Audit package installation logs on all Ajenti-managed servers—check /var/log and Ajenti audit logs for unauthorized install events by non-superuser accounts. 3. Inventory all servers running Ajenti and cross-reference with AI/ML infrastructure inventory. 4. Enforce principle of least privilege: review which accounts have Ajenti access and remove unnecessary users. 5. If immediate patching is blocked, restrict Ajenti port access to specific admin IP ranges via firewall as a temporary control. 6. Rotate credentials for all Ajenti users as a precaution.

What systems are affected by CVE-2026-35175?

This vulnerability affects the following AI/ML architecture patterns: AI/ML server infrastructure managed via Ajenti, Model serving hosts, Training pipeline nodes, Self-hosted LLM inference stacks, Jupyter/MLflow environments.

What is the CVSS score for CVE-2026-35175?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Impact An authenticated user (using the `auth_users` plugin authentication method) could install a custom package even if this user is not superuser. ### Patches This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible.

Exploitation Scenario

An adversary with a low-privilege Ajenti account (obtained via phishing, credential stuffing, or insider threat) navigates to the package manager UI. They install a maliciously crafted Python package—published to PyPI under a typosquatted name resembling a common ML dependency—on a server running model inference workloads. The package executes a post-install hook that establishes a reverse shell or injects a backdoor into the site-packages directory, intercepting calls to the legitimate ML framework. The attacker now has persistent access to the ML environment, model weights, training data, and API keys stored on the server.