Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45749

CVE-2026-45749: Termix Auth Bypass Vulnerability

CVE-2026-45749 is an authentication bypass flaw in Termix that allows attackers to disable two-factor authentication using only a password. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-45749 Overview

Termix is a web-based server management platform offering SSH terminal, tunneling, and file editing features. CVE-2026-45749 is an authentication weakness (CWE-308) affecting Termix versions prior to 2.3.2. The POST /users/totp/disable and POST /users/totp/backup-codes endpoints accept the account password as the sole authentication factor for multi-factor authentication (MFA) critical operations. An attacker holding a victim's password can disable Time-based One-Time Password (TOTP) protection or regenerate backup codes without ever possessing the TOTP device. This effectively nullifies two-factor authentication on affected installations.

Critical Impact

Attackers who obtain a Termix user password through phishing, credential stuffing, or hash leakage can bypass TOTP entirely, gaining full account access despite MFA being enabled.

Affected Products

  • Termix versions prior to 2.3.2
  • Termix POST /users/totp/disable endpoint
  • Termix POST /users/totp/backup-codes endpoint

Discovery Timeline

  • 2026-06-05 - CVE-2026-45749 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-45749

Vulnerability Analysis

The flaw is categorized as Use of Single-Factor Authentication ([CWE-308]) on operations that should require step-up authentication. Termix's TOTP management endpoints validate only the user's password before performing security-sensitive state changes. Disabling TOTP or regenerating backup codes are MFA-critical operations that must require possession of the second factor itself.

Because the password is treated as sufficient proof of identity, the second factor never participates in authorization for its own removal. The attacker can submit a valid password to POST /users/totp/disable and the server tears down TOTP enrollment. Alternatively, calling POST /users/totp/backup-codes returns freshly generated codes that the attacker can then use to satisfy MFA on subsequent logins.

Root Cause

The endpoints implement authorization checks that confirm only knowledge of the password. The TOTP factor is excluded from re-authentication on its own teardown path. This breaks the security boundary that MFA is intended to enforce, because compromise of a single factor cascades into full account control.

Attack Vector

Exploitation requires network access to the Termix application and a valid user password. Password compromise can occur through phishing, credential stuffing using reused credentials, or password hash exposure such as the leak referenced in the related GitHub advisory. After obtaining the password, the attacker issues an authenticated request to the TOTP disable or backup-code endpoint, then logs in using only the password or a newly issued backup code.

No TOTP device, secret, or live one-time code is required at any stage. The attack is fully remote and does not depend on user interaction beyond the initial credential theft. Refer to the GitHub Security Advisory GHSA-wqfw-rqj7-fv9m for vendor technical detail.

Detection Methods for CVE-2026-45749

Indicators of Compromise

  • HTTP POST requests to /users/totp/disable followed by successful logins lacking a TOTP challenge.
  • HTTP POST requests to /users/totp/backup-codes from IP addresses or user agents not previously associated with the account.
  • TOTP state transitions where MFA changes from enabled to disabled without a corresponding user-initiated security setting change in the UI.

Detection Strategies

  • Audit Termix application logs for calls to the two TOTP endpoints and correlate with the originating session, IP address, and geolocation.
  • Alert when a TOTP disable event is followed by a login from a new device or region within a short window.
  • Compare account configuration snapshots over time to surface unexplained MFA downgrades.

Monitoring Recommendations

  • Forward Termix access and audit logs to a centralized logging platform with retention sufficient for incident review.
  • Monitor authentication failure spikes that may indicate credential stuffing precursors to MFA bypass.
  • Track regeneration of backup codes as a high-priority security event subject to user notification.

How to Mitigate CVE-2026-45749

Immediate Actions Required

  • Upgrade Termix to version 2.3.2 or later, which patches the authentication logic on the affected endpoints.
  • Force a password reset for all Termix users, especially if password hashes may have been exposed.
  • Require users to re-enroll TOTP and rotate backup codes after upgrading.

Patch Information

The vendor released the fix in Termix release-2.3.2-tag. Version 2.3.2 enforces that MFA-critical operations require validation of the second factor, not just the password. Administrators should consult the GitHub Security Advisory GHSA-wqfw-rqj7-fv9m for vendor remediation guidance.

Workarounds

  • Restrict network access to the Termix administrative interface using IP allow-lists or a VPN until the upgrade is applied.
  • Enforce strong, unique passwords and rate-limit authentication attempts to reduce the feasibility of credential stuffing.
  • Notify users to monitor account activity and report any unexpected MFA changes immediately.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne