Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45746

CVE-2026-45746: Termix Termix RCE Vulnerability

CVE-2026-45746 is a remote code execution flaw in Termix Termix caused by broken access control in the File Manager. Attackers can hijack sessions to execute commands on other users' VPS instances. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-45746 Overview

CVE-2026-45746 is a Broken Access Control vulnerability [CWE-284] in Termix, a web-based server management platform offering SSH terminal, tunneling, and file editing features. The flaw exists in the File Manager functionality prior to version 2.3.2. The backend trusts a client-controlled sessionId parameter without confirming it belongs to the authenticated user. An attacker can manipulate this identifier to access another user's active File Manager sessions tied to remote SSH connections. Because File Manager exposes file read, write, upload, and execution capabilities, exploitation results in remote code execution on another user's VPS.

Critical Impact

Authenticated attackers can hijack other users' File Manager sessions and execute arbitrary commands on their remote SSH-connected VPS instances.

Affected Products

  • Termix versions prior to 2.3.2
  • Termix File Manager component
  • SSH-connected remote VPS instances managed through Termix

Discovery Timeline

  • 2026-06-05 - CVE-2026-45746 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-45746

Vulnerability Analysis

The vulnerability resides in the File Manager backend logic, which accepts a sessionId value supplied by the client. The server uses this identifier to locate and operate on an active File Manager session without first verifying that the session is owned by the requesting authenticated user. This violates the principle of authorization checks on every privileged action.

Since Termix File Manager sessions wrap live SSH connections to remote hosts, hijacking a session grants the attacker full filesystem operations on the victim's VPS. The exposed operations include reading sensitive files, writing arbitrary content, uploading binaries, and executing commands. The result is reliable remote code execution scoped to whichever target the victim has connected to.

The EPSS score is 0.027% with a percentile of 7.994, but the practical impact is severe because exploitation requires only a valid low-privilege account and predictable or enumerable session identifiers.

Root Cause

The root cause is missing server-side authorization on the sessionId parameter. The Termix backend implicitly trusts the client to supply only its own session identifier instead of validating the session-to-user binding on each request. This is a classic Insecure Direct Object Reference pattern within a broader Broken Access Control failure [CWE-284].

Attack Vector

An authenticated attacker submits File Manager requests to the Termix backend using a sessionId belonging to another user. Once the backend accepts the identifier, the attacker can issue read, write, upload, and execute operations against the victim's SSH-connected remote host. The attack is network-reachable, requires low privileges, and depends on user interaction in that another user must have an active File Manager session.

No verified exploit code is publicly available. See the Termix GitHub Security
Advisory for technical details: GHSA-cx2r-843c-vww8.

Detection Methods for CVE-2026-45746

Indicators of Compromise

  • Unexpected File Manager operations performed under a sessionId not associated with the requesting user account
  • SSH command execution or file writes on managed VPS instances that do not correlate with the owning user's activity
  • Unusual file uploads, script drops, or chmod/chown operations originating from Termix-controlled SSH sessions
  • Multiple distinct user accounts referencing the same File Manager sessionId within backend logs

Detection Strategies

  • Audit Termix application logs for mismatches between the authenticated user identity and the user owning the referenced sessionId
  • Correlate Termix File Manager API calls with SSH session ownership records to surface cross-user access attempts
  • Monitor remote VPS hosts for command execution patterns initiated from Termix sessions outside expected operating hours or user behavior baselines

Monitoring Recommendations

  • Forward Termix backend and SSH audit logs to a centralized SIEM for correlation and retention
  • Alert on File Manager session enumeration attempts, including repeated requests cycling through sessionId values
  • Track newly created files and executed processes on managed VPS hosts and correlate them with the authenticated Termix user

How to Mitigate CVE-2026-45746

Immediate Actions Required

  • Upgrade Termix to version 2.3.2 or later, which enforces session ownership validation
  • Invalidate all active File Manager sessions after upgrading to force re-authentication
  • Review SSH-connected VPS instances for unauthorized file modifications, new accounts, or persistence artifacts
  • Rotate SSH credentials and keys used by Termix to connect to remote hosts if compromise is suspected

Patch Information

The Termix maintainers fixed CVE-2026-45746 in version 2.3.2. The patch enforces server-side validation that the supplied sessionId belongs to the authenticated user before any File Manager operation is performed. Full details are available in the Termix GitHub Security Advisory GHSA-cx2r-843c-vww8.

Workarounds

  • Restrict Termix access to trusted users only until upgrade to 2.3.2 is complete
  • Place Termix behind an authenticated reverse proxy or VPN to reduce exposure to untrusted authenticated users
  • Temporarily disable the File Manager functionality if patching cannot be performed immediately
  • Enforce least-privilege SSH accounts on remote VPS instances managed by Termix to limit blast radius
bash
# Upgrade Termix to the patched release
docker pull ghcr.io/termix-ssh/termix:2.3.2
docker stop termix && docker rm termix
docker run -d --name termix ghcr.io/termix-ssh/termix:2.3.2

# Verify the running version
docker exec termix cat /app/package.json | grep version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne