CVE-2026-45748 Overview
CVE-2026-45748 is an OS command injection vulnerability in Termix, a web-based server management platform offering SSH terminal, tunneling, and file editing features. The POST /ssh/tunnel/connect endpoint in versions prior to 2.3.2 builds SSH tunnel commands by interpolating user-controlled host record fields directly into a shell command without escaping. Attackers can persist malicious payloads in endpointIP, endpointUsername, or password fields and trigger arbitrary command execution on the source SSH host. The maintainers released version 2.3.2 to address the flaw.
Critical Impact
Unauthenticated network attackers can achieve persistent OS command injection on the Termix host, leading to full system compromise.
Affected Products
- Termix versions prior to 2.3.2
- termix:termix package distributions
- Self-hosted Termix server management deployments
Discovery Timeline
- 2026-06-05 - CVE-2026-45748 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-45748
Vulnerability Analysis
The vulnerability resides in the POST /ssh/tunnel/connect endpoint, which constructs an SSH tunnel command string by concatenating stored host record fields. The endpointIP, endpointUsername, and password fields are inserted directly into a shell invocation without sanitization or argument escaping. Because Termix stores these fields when a host record is created and reads them when a tunnel is established, an attacker who can submit a host record introduces a persistent injection primitive. Each subsequent tunnel connection re-executes the attacker-controlled payload under the privileges of the Termix process. The flaw is categorized as Improper Neutralization of Special Elements used in an OS Command [CWE-78].
Root Cause
The root cause is unsafe shell command construction. Instead of using parameterized process spawning (for example, execFile with an argument array or a library-level SSH client), the implementation interpolates raw user input into a shell string. Shell metacharacters such as ;, &&, |, and command substitution sequences $(...) retain their special meaning and break out of the intended command context.
Attack Vector
An attacker with the ability to create or modify host records submits crafted values containing shell metacharacters in the endpointIP, endpointUsername, or password fields. When the tunnel endpoint is invoked, the injected payload executes on the Termix host. Because the malicious values are persisted, exploitation is repeatable and does not require continued attacker presence at the time of execution.
No verified proof-of-concept code is publicly available. Refer to the GitHub Security Advisory GHSA-xmjh-8cc2-qm49 for additional technical details.
Detection Methods for CVE-2026-45748
Indicators of Compromise
- Host records containing shell metacharacters such as ;, |, &&, backticks, or $(...) in endpointIP, endpointUsername, or password fields
- Unexpected child processes spawned by the Termix service (for example, sh, bash, curl, wget, nc) during tunnel connect operations
- Outbound network connections from the Termix host to untrusted destinations correlated with /ssh/tunnel/connect requests
Detection Strategies
- Inspect application and reverse proxy logs for POST /ssh/tunnel/connect requests followed by anomalous process creation on the Termix host
- Audit the Termix database for stored host records containing shell metacharacters in connection fields
- Apply process-lineage detection to flag shells or network utilities launched as children of the Termix Node.js process
Monitoring Recommendations
- Forward Termix application logs, process telemetry, and outbound network flows to a centralized analytics platform for correlation
- Alert on creation or modification of host records that contain non-alphanumeric characters in IP, username, or password fields
- Track new outbound connections initiated by the Termix host immediately after tunnel connect API calls
How to Mitigate CVE-2026-45748
Immediate Actions Required
- Upgrade Termix to version 2.3.2 or later, which patches the command injection issue
- Restrict network exposure of the Termix management interface to trusted administrators and internal networks only
- Audit existing host records and remove any entries containing shell metacharacters in connection fields
- Rotate credentials and SSH keys accessible from the Termix host if compromise is suspected
Patch Information
Termix version 2.3.2 remediates CVE-2026-45748 by changing how the SSH tunnel command is constructed. See the GitHub Release v2.3.2 and the GitHub Security Advisory GHSA-xmjh-8cc2-qm49 for upgrade instructions and fix details.
Workarounds
- Place Termix behind an authenticated reverse proxy and limit access to vetted administrator accounts
- Run the Termix service as an unprivileged user inside a hardened container with a restrictive seccomp profile to limit the impact of injected commands
- Disable or block the /ssh/tunnel/connect endpoint at the proxy layer until the upgrade is applied
# Example: upgrade Termix container deployment to the patched release
docker pull ghcr.io/termix-ssh/termix:2.3.2
docker stop termix && docker rm termix
docker run -d --name termix \
--user 1000:1000 \
--read-only \
-p 127.0.0.1:8080:8080 \
ghcr.io/termix-ssh/termix:2.3.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
