Skip to main content

Termix CVE-2026-45743

| EUVDEUVD-2026-34872 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-05 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 20:02 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 18:41 vuln.today
Analysis Generated
Jun 05, 2026 - 18:41 vuln.today

DescriptionGitHub Advisory

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by sessionId. An authenticated attacker who knows or guesses another user's active sessionId can read, write, delete, download, and execute files on the victim's connected SSH host. Version 2.3.2 patches the issue.

AnalysisAI

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control another user's connected SSH host via predictable session identifiers. Sixteen file-manager endpoints fail to verify ownership of the sessionId parameter, enabling read, write, delete, download, and execute operations on victim hosts. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Termix instance
Delivery
Enumerate or guess victim sessionId
Exploit
Call file-manager endpoint with victim sessionId
Execution
Read, write, or execute files on victim SSH host
Impact
Exfiltrate data or pivot further

Vulnerability AssessmentAI

Exploitation Requires an authenticated Termix account on the target instance (PR:L) and the existence of at least one other user with an active SSH session whose `sessionId` the attacker can learn or guess; exploitation targets the 16 file-manager endpoints in Termix versions before 2.3.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 8.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) signals network reach, low complexity, low-privilege authenticated attacker, no user interaction, and high impact on confidentiality and integrity - consistent with an authenticated tenant abusing missing authorization to reach another tenant's SSH host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged user with a legitimate Termix account logs in, opens their own SSH session to obtain a sample sessionId, then enumerates or guesses sessionId values belonging to other active users and issues file-manager API calls (read, write, delete, download, execute) against those sessions. Because Termix never verifies session ownership, the attacker's commands run with the victim's SSH credentials on the victim's connected host, allowing data theft, file tampering, or arbitrary command execution on production servers.
Remediation Vendor-released patch: upgrade to Termix release-2.3.2 or later, available from https://github.com/Termix-SSH/Termix/releases/tag/release-2.3.2-tag, which adds the missing ownership checks on the 16 file-manager endpoints per GHSA-5fqh-77cr-jj5x. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Termix deployments and confirm version numbers; identify which instances are used in multi-tenant or shared access scenarios. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Termix

View all
CVE-2025-59951 CRITICAL POC
9.1 Oct 01

Docker default credentials in Termix server management. PoC and patch available.

CVE-2026-22804 HIGH POC
8.0 Jan 12

Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary Ja

CVE-2026-45744 CRITICAL
9.9 Jun 05

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticat

CVE-2026-45748 CRITICAL
9.8 Jun 05

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated

CVE-2026-45746 CRITICAL
9.0 Jun 05

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an a

CVE-2026-45750 CRITICAL
9.0 Jun 05

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitr

CVE-2026-42453 HIGH
8.7 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45749 HIGH
8.1 Jun 05

Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account p

CVE-2026-42452 HIGH
8.1 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45745 HIGH
8.0 Jun 05

Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attack

Share

CVE-2026-45743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy