Termix
CVE-2026-42452
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0.
Analysis
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, /users/login issues a temporary JWT (temp_token) for TOTP-enabled accounts. That token carries a pendingTOTP state and should only be valid for the second-factor flow. However, the auth middleware accepts this token on regular authenticated endpoints. This effectively turns 2FA into single-factor (password) for impacted accounts. This issue has been patched in version 2.1.0.
Docker default credentials in Termix server management. PoC and patch available.
Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary Ja
Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticat
OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated
Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an a
Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitr
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v
Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account p
Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control anot
Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attack
Same weakness CWE-304 – Missing Critical Step in Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today