Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45743

CVE-2026-45743: Termix Auth Bypass Vulnerability

CVE-2026-45743 is an authentication bypass flaw in Termix that allows attackers to access another user's SSH session and manipulate files. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-45743 Overview

CVE-2026-45743 is an authorization flaw in Termix, a web-based server management platform that provides SSH terminal, tunneling, and file editing capabilities. Sixteen file-manager endpoints in versions prior to 2.3.2 fail to verify that the requesting user owns the SSH session identified by sessionId. An authenticated attacker who knows or guesses another user's active sessionId can read, write, delete, download, and execute files on the victim's connected SSH host. The flaw is classified as [CWE-639] Authorization Bypass Through User-Controlled Key. Version 2.3.2 resolves the issue.

Critical Impact

Any authenticated Termix user can hijack another user's active SSH session and gain full file-level access to the connected host, including arbitrary file execution.

Affected Products

  • Termix versions prior to 2.3.2
  • File-manager API endpoints relying on sessionId for resource scoping
  • SSH hosts connected through vulnerable Termix instances

Discovery Timeline

  • 2026-06-05 - CVE-2026-45743 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-45743

Vulnerability Analysis

Termix exposes 16 file-manager endpoints that accept a sessionId parameter to identify an active SSH session. The endpoints trust this identifier without verifying that the authenticated caller is the owner of the referenced session. An attacker authenticated to Termix can supply another user's sessionId and operate against the victim's SSH host as if the attacker had established the connection.

Because the SSH session retains the victim's credentials and shell context, the attacker inherits the victim's privileges on the remote host. Operations exposed through these endpoints include reading file contents, writing or overwriting files, deleting files, downloading files, and executing files. This converts a session-identifier disclosure or guess into full filesystem compromise of the connected target.

The issue is a classic Insecure Direct Object Reference, where the server uses a client-supplied key to fetch a protected resource without confirming ownership.

Root Cause

The file-manager endpoints scope SSH session lookups by sessionId only. They omit the authorization check that ties a session to the authenticated user who originally opened it. The fix in 2.3.2 introduces ownership validation across the affected endpoints.

Attack Vector

Exploitation requires network access to the Termix application and valid user credentials. The attacker enumerates or obtains an active sessionId belonging to another user and issues file-manager API requests using that identifier. No interaction from the victim is required beyond having an active SSH session open. See the GitHub Security Advisory for endpoint-level details.

No public proof-of-concept code has been released. Technical specifics are described in prose in the upstream advisory rather than reproduced here.

Detection Methods for CVE-2026-45743

Indicators of Compromise

  • File-manager API requests where the authenticated user identifier does not match the owner of the referenced sessionId.
  • Unexpected file read, write, delete, download, or execute operations on SSH hosts during another user's active session.
  • Multiple sessionId values being probed by a single authenticated Termix account within a short timeframe.

Detection Strategies

  • Review Termix application logs for file-manager endpoint calls and correlate the requesting user with the original session owner.
  • Audit SSH host logs for filesystem changes or command executions that do not align with the legitimate user's working pattern.
  • Alert on enumeration patterns against endpoints that accept sessionId as a parameter.

Monitoring Recommendations

  • Forward Termix and SSH host logs to a centralized analytics platform and retain them long enough to investigate suspected session hijacking.
  • Track per-user counts of distinct sessionId values referenced and flag accounts referencing sessions they did not create.
  • Monitor for anomalous file execution events on SSH targets connected through Termix.

How to Mitigate CVE-2026-45743

Immediate Actions Required

  • Upgrade Termix to version 2.3.2 or later, which adds session ownership checks to the affected file-manager endpoints.
  • Invalidate existing SSH sessions and rotate any credentials that may have been accessed through hijacked sessions.
  • Audit Termix user accounts and remove any unused or untrusted accounts to reduce the authenticated attacker pool.

Patch Information

The maintainers released the fix in Termix release-2.3.2. Details are documented in the GitHub Security Advisory GHSA-5fqh-77cr-jj5x.

Workarounds

  • Restrict Termix access to a trusted set of authenticated users until the upgrade is applied.
  • Place Termix behind a network boundary that limits exposure to only administrators who require it.
  • Terminate long-lived SSH sessions to reduce the window in which a sessionId can be abused.
bash
# Upgrade Termix to the patched release
docker pull ghcr.io/termix-ssh/termix:2.3.2
docker stop termix && docker rm termix
# Re-deploy using your existing compose or run configuration pinned to 2.3.2

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne