CVE-2026-45750 Overview
CVE-2026-45750 is a command injection vulnerability in Termix, a web-based server management platform that provides SSH terminal, tunneling, and file editing capabilities. The flaw resides in the GET /ssh/file_manager/ssh/resolvePath endpoint of the Termix File Manager component. The endpoint embeds the user-controlled path parameter into a shell command executed over the active SSH session. Only double quotes are escaped, so shell command substitution syntax such as $(...) is interpreted by the remote shell. Termix version 2.3.2 fixes the issue.
Critical Impact
Authenticated attackers can inject arbitrary shell commands that execute on remote hosts through the active SSH session managed by Termix.
Affected Products
- Termix versions prior to 2.3.2
- Termix File Manager component
- Deployments exposing the /ssh/file_manager/ssh/resolvePath endpoint
Discovery Timeline
- 2026-06-05 - CVE-2026-45750 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-45750
Vulnerability Analysis
The vulnerability is classified as OS Command Injection [CWE-78]. Termix exposes a REST endpoint, GET /ssh/file_manager/ssh/resolvePath, that resolves a filesystem path on a remote host over SSH. The server constructs a shell command by interpolating the path query parameter into a double-quoted string. The sanitization routine escapes double quote characters but does not neutralize other shell metacharacters that retain their meaning inside double quotes.
Shell command substitution using $(...) and backtick syntax remains active inside double-quoted strings. An attacker who supplies a crafted path value causes the remote shell to evaluate the substitution before executing the intended resolution command. The injected payload runs with the privileges of the SSH user that Termix is connected as on the target host.
Exploitation requires an authenticated session in Termix and an active SSH connection to a target server. Successful exploitation produces arbitrary command execution on the connected host, with scope changes because the injected commands run on a different system than the Termix server itself.
Root Cause
The root cause is incomplete input sanitization in the shell command construction logic. The path parameter is wrapped in double quotes, and the implementation escapes only the double quote character. Shell expansion features that operate inside double-quoted contexts, including $(command) substitution, backtick substitution, and variable expansion, remain functional.
Attack Vector
An authenticated Termix user issues a request to the resolvePath endpoint with a path parameter containing shell command substitution syntax. Termix forwards the malformed command to the remote shell over the active SSH session, where the substitution executes before path resolution. The injected commands run on the remote host under the SSH session's user context.
The vulnerability mechanics are described in the Termix Security Advisory GHSA-v26q-rpv5-9m72. No public proof-of-concept code is referenced in the advisory.
Detection Methods for CVE-2026-45750
Indicators of Compromise
- HTTP requests to /ssh/file_manager/ssh/resolvePath containing $(, backticks, or other shell substitution syntax in the path parameter
- Unexpected child processes spawned under the SSH user account on hosts managed by Termix
- Outbound network connections from managed hosts originating from shells invoked through Termix sessions
- New or modified files on managed hosts whose timestamps correlate with Termix File Manager requests
Detection Strategies
- Inspect Termix application logs for resolvePath requests containing shell metacharacters in path values
- Correlate Termix session activity with shell auditing on managed hosts using auditd or equivalent
- Alert on anomalous process trees descending from sshd sessions associated with the Termix service account
- Compare deployed Termix version against 2.3.2 to identify vulnerable instances
Monitoring Recommendations
- Enable verbose request logging on the Termix reverse proxy to capture full query strings
- Forward shell command auditing from SSH-managed hosts to a central log platform for retrospective analysis
- Monitor for outbound connections from managed servers to unknown destinations following Termix activity
- Track Termix version inventory and flag any host running a release earlier than 2.3.2
How to Mitigate CVE-2026-45750
Immediate Actions Required
- Upgrade Termix to version 2.3.2 or later on all deployments
- Restrict network access to the Termix web interface to trusted administrators only
- Rotate SSH credentials configured in Termix if exploitation is suspected
- Audit shell command history and process logs on hosts that Termix has managed
Patch Information
Termix version 2.3.2 removes the unsafe shell command construction in the resolvePath endpoint. Release details are documented in the Termix 2.3.2 Release Notes. Administrators should redeploy from the official container image or source release after upgrading.
Workarounds
- Disable the Termix File Manager feature until the patched version is deployed
- Block requests to /ssh/file_manager/ssh/resolvePath at the reverse proxy layer
- Limit Termix SSH connections to low-privilege accounts on managed hosts to reduce blast radius
- Require multi-factor authentication for all Termix user accounts to limit attacker access
# Example reverse proxy rule to block the vulnerable endpoint until patched
location /ssh/file_manager/ssh/resolvePath {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
