Skip to main content

Termix CVE-2026-45746

| EUVDEUVD-2026-34874 CRITICAL
Improper Access Control (CWE-284)
2026-06-05 GitHub_M
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 20:02 EUVD
Analysis Generated
Jun 05, 2026 - 18:36 vuln.today

DescriptionGitHub Advisory

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user's VPS (RCE). Version 2.3.2 patches the issue.

AnalysisAI

Cross-tenant remote code execution in Termix (web-based SSH/file management platform) prior to version 2.3.2 allows an authenticated low-privileged user to hijack another user's active File Manager session by tampering with a client-supplied sessionId, gaining full read/write/execute access to that victim's remote VPS over their established SSH connection. The CVSS 9.0 score reflects scope change (the compromised session crosses the trust boundary into the victim's separate VPS) and high impact across CIA. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to Termix as low-priv user
Delivery
Enumerate or guess active File Manager sessionId
Exploit
Bind to victim's File Manager session
Execution
Write payload to victim VPS filesystem
Persist
Execute payload via File Manager
Impact
RCE on victim's remote VPS

Vulnerability AssessmentAI

Exploitation Requires (1) a valid authenticated account on the target Termix instance (PR:L), (2) a concurrent victim with an active File Manager session open against their VPS (UI:R - the attack only works while a victim session is live), and (3) the ability to submit or guess a sessionId value accepted by the File Manager backend. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely aligned toward high real-world risk: CVSS 9.0 with AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H indicates a network-reachable bug with low complexity that needs only low privileges (any logged-in Termix user) and yields scope-changing high impact on another tenant's VPS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or already holds a low-privileged account on a shared Termix instance, then issues File Manager API calls while iterating or guessing sessionId values until one resolves to another tenant's active SSH-backed File Manager session. Once attached, the attacker writes a payload to the victim's filesystem (for example, an authorized_keys entry or a cron job) and executes it through the File Manager's execute capability, achieving RCE on the victim's VPS under whatever account the victim's SSH session is connected as.
Remediation Vendor-released patch: upgrade Termix to version 2.3.2 or later, per advisory GHSA-cx2r-843c-vww8 (https://github.com/Termix-SSH/Termix/security/advisories/GHSA-cx2r-843c-vww8). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: disable the File Manager feature or restrict access to trusted, monitored systems; notify all Termix users of the session hijacking risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Termix

View all
CVE-2025-59951 CRITICAL POC
9.1 Oct 01

Docker default credentials in Termix server management. PoC and patch available.

CVE-2026-22804 HIGH POC
8.0 Jan 12

Stored XSS in Termix File Manager (versions 1.7.0-1.9.0) allows attackers with SSH server access to execute arbitrary Ja

CVE-2026-45744 CRITICAL
9.9 Jun 05

Remote command execution in Termix web-based server management platform (versions prior to 2.3.2) allows any authenticat

CVE-2026-45748 CRITICAL
9.8 Jun 05

OS command injection in Termix web-based server management platform prior to version 2.3.2 allows remote unauthenticated

CVE-2026-45750 CRITICAL
9.0 Jun 05

Command injection in Termix server management platform before version 2.3.2 allows authenticated users to execute arbitr

CVE-2026-42453 HIGH
8.7 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45749 HIGH
8.1 Jun 05

Authentication bypass of MFA in Termix versions prior to 2.3.2 allows an attacker who already holds a victim's account p

CVE-2026-45743 HIGH
8.1 Jun 05

Cross-tenant SSH session hijacking in Termix versions prior to 2.3.2 allows any authenticated user to fully control anot

CVE-2026-42452 HIGH
8.1 May 08

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to v

CVE-2026-45745 HIGH
8.0 Jun 05

Machine-in-the-middle interception of HTTPS traffic in Termix Desktop (Electron) starting at version 1.7.0 allows attack

Share

CVE-2026-45746 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy