CVE-2026-42454 Overview
Termix is a web-based server management platform that provides SSH terminal access, tunneling, and file editing capabilities. CVE-2026-42454 is an OS command injection vulnerability [CWE-78] affecting all Termix versions prior to 2.1.0. The Docker container management endpoints interpolate the containerId URL path parameter and WebSocket message field directly into shell commands. These commands execute via ssh2.Client.exec() on remote managed servers without sanitization or validation. An authenticated attacker can inject arbitrary operating system commands by crafting a malicious container ID, achieving remote code execution on any managed server.
Critical Impact
Authenticated attackers can achieve remote code execution on every server managed through Termix by injecting shell metacharacters into the containerId parameter.
Affected Products
- Termix versions prior to 2.1.0
- Docker container management endpoints in Termix
- WebSocket message handlers that process containerId fields
Discovery Timeline
- 2026-05-08 - CVE-2026-42454 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42454
Vulnerability Analysis
The vulnerability resides in Termix's Docker container management functionality. The application accepts a containerId value from two attacker-controlled sources: URL path parameters in HTTP requests and message fields in WebSocket communications. Termix passes these values directly into shell command strings without applying any input validation or escaping.
The constructed command strings then reach ssh2.Client.exec(), which executes them on remote managed servers over SSH. Because the shell on the remote host parses metacharacters such as ;, &&, |, and backticks, an attacker can append arbitrary commands to legitimate Docker operations. The injected commands run with the privileges of the SSH user configured for that managed server.
Root Cause
The root cause is improper neutralization of special elements used in OS commands [CWE-78]. Termix concatenates untrusted input into shell command strings rather than passing arguments as a parameter array or using strict allowlist validation for container identifiers. Docker container IDs follow a predictable hexadecimal format, but Termix does not enforce this constraint before constructing commands.
Attack Vector
An authenticated user submits a crafted containerId value through either a vulnerable HTTP endpoint or a WebSocket message. The malicious identifier contains shell metacharacters that break out of the intended Docker command context. Termix forwards the injected payload to managed servers over SSH, where the remote shell executes the attacker's commands. The Scope:Changed designation in the CVSS vector reflects that compromise spreads from the Termix host to every downstream managed server.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-c2g2-hqgq-6w9v for additional technical details.
Detection Methods for CVE-2026-42454
Indicators of Compromise
- HTTP requests to Docker container management endpoints containing shell metacharacters such as ;, |, &, $(), or backticks within the containerId path segment
- WebSocket frames where the containerId field deviates from the expected 12 or 64 character hexadecimal Docker container ID format
- Unexpected child processes spawned by SSH sessions originating from the Termix host on managed servers
Detection Strategies
- Inspect Termix reverse proxy and application logs for non-hexadecimal characters in URL paths referencing container IDs
- Correlate SSH session activity from the Termix server with unusual command executions such as curl, wget, nc, or shell spawns on managed hosts
- Alert on outbound network connections from managed servers immediately following Termix Docker management API calls
Monitoring Recommendations
- Enable verbose audit logging on managed servers and forward authentication and command execution events to a centralized log store
- Monitor process ancestry on managed hosts for shells launched as descendants of sshd sessions tied to the Termix service account
- Track WebSocket traffic to Termix and flag messages whose containerId fields contain characters outside [0-9a-f]
How to Mitigate CVE-2026-42454
Immediate Actions Required
- Upgrade Termix to version 2.1.0 or later, which contains the official patch
- Restrict network access to the Termix management interface to trusted administrators only
- Rotate SSH credentials and keys used by Termix to access managed servers, since prior authenticated users may have abused the flaw
- Review command execution logs on all managed servers for evidence of unexpected activity
Patch Information
The vendor patched this issue in Termix release 2.1.0. The fix addresses the unsafe interpolation of the containerId parameter into shell commands invoked through ssh2.Client.exec(). Administrators should review the GitHub Security Advisory GHSA-c2g2-hqgq-6w9v for upgrade guidance.
Workarounds
- Disable the Docker container management feature in Termix until upgrading is possible
- Place Termix behind a web application firewall configured to reject requests containing shell metacharacters in containerId path parameters
- Limit Termix user accounts to trusted operators and remove any unused or shared credentials
# Upgrade Termix to the patched release
docker pull ghcr.io/termix-ssh/termix:release-2.1.0-tag
docker stop termix && docker rm termix
docker run -d --name termix ghcr.io/termix-ssh/termix:release-2.1.0-tag
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
