CVE-2026-38979 in ajentiinfo

Summary

by MITRE • 07/07/2026

ajenti through v2.2.13 has a clickjacking weakness in the browser-facing login and administrative UI. In ajenti-core/aj/http.py, the core HTTP response path initializes an empty header list, forwards handler-added headers verbatim, and finalizes responses through WSGI start_response() without adding anti-framing protections such as X-Frame-Options or a Content-Security-Policy frame-ancestors restriction.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability identified in ajenti through version 2.2.13 represents a critical clickjacking weakness that compromises the security of the browser-facing login and administrative user interface. This flaw exists within the core HTTP response handling mechanism located in ajenti-core/aj/http.py where the system initializes an empty header list before processing responses. The vulnerability stems from the absence of essential anti-framing protections during the WSGI response finalization process through start_response() method. Attackers can exploit this weakness by embedding the ajenti administrative interface within malicious frames or iframes, potentially tricking administrators into performing unintended actions while believing they are interacting with legitimate system interfaces.

The technical implementation flaw manifests in the HTTP response processing pipeline where handler-added headers are forwarded verbatim without proper security header injection. This approach fails to establish the necessary X-Frame-Options header that would prevent the application from being embedded within other websites or frames. Additionally, the absence of Content-Security-Policy frame-ancestors directives creates an environment where third-party domains can frame the ajenti administrative interface without restriction. This vulnerability directly maps to CWE-1021, which specifically addresses insufficient protection against clickjacking attacks in web applications. The flaw represents a fundamental failure in the application's security posture during response generation, leaving critical administrative functions exposed to manipulation through malicious framing techniques.

The operational impact of this vulnerability extends beyond simple user interface confusion to potentially enable complete administrative compromise of affected systems. An attacker could craft malicious websites that frame the ajenti login or admin panels, allowing them to capture authentication credentials or perform unauthorized administrative actions without the victim's knowledge. The attack surface is particularly dangerous because it targets the most privileged interfaces within the application, potentially enabling full system control. This vulnerability aligns with ATT&CK technique T1531, which focuses on 'Modify System Image' through clickjacking attacks that manipulate user interactions with legitimate applications. The exposure affects all users who access the ajenti administrative interface, making it a critical concern for organizations relying on this platform for system management.

Mitigation strategies should prioritize immediate implementation of proper anti-framing headers within the HTTP response pipeline. Organizations must ensure that all ajenti installations include X-Frame-Options headers set to DENY or SAMEORIGIN values, along with Content-Security-Policy directives specifying frame-ancestors restrictions. The fix requires modification of the ajenti-core/aj/http.py file to automatically inject these security headers during response initialization before WSGI start_response() is called. Additional protective measures include implementing proper CORS policies, ensuring that all administrative interfaces are served over HTTPS only, and conducting regular security audits to verify header implementation. System administrators should also consider deploying web application firewalls that can detect and block malicious framing attempts, while monitoring for unauthorized access patterns that might indicate successful exploitation of this vulnerability.

Responsible

MITRE

Reservation

04/06/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!