How is CVE-2026-45058 exploited?

Network reachability (required): The attacker delivers the malicious payload over the network, either by hosting a crafted bookmark JSON file for the victim to import or by compromising a network-accessible sync target such as a GitHub Gist or WebDAV endpoint. Authentication (not-required): No authentication to electerm or the affected service is required; the attacker only needs to place the malicious data where the victim can retrieve or import it. Victim interaction (required): The victim must take an action, either importing the malicious bookmark file or triggering a sync operation, which constitutes a social-engineering vector where the attacker induces the user to open or apply attacker-controlled data. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and condition-free once the malicious bookmark or sync payload is in place; no race conditions or special environmental factors are required.

What is the impact of CVE-2026-45058?

The attacker executes arbitrary commands inside a local pseudoterminal process on the victim's machine, gaining the same privileges as the electerm process. All confidential data accessible to the running user, including SSH private keys, session tokens, and local files, is readable by the attacker. The attacker can modify or delete files, inject commands into open terminal sessions, and alter electerm configuration or sync targets to persist access. Connected remote systems reachable through electerm SSH or SFTP sessions are exposed to lateral movement from the compromised client.

Back to search

CRITICALCVE-2026-45058Published 2026-05-28Modified 2026-05-30CNA GitHub_M

CVE-2026-45058: electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured (gist/WebDAV). The attacker can inject exec* fields or global config to cause remote code to run when a bookmark is opened or when sync is applied.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a persistent code execution vulnerability in electerm, an open-source terminal and SSH/SFTP client, affecting version 3.8.8 and earlier. An attacker reachable over the network can deliver a malicious bookmark JSON file or compromise a sync target (GitHub Gist or WebDAV) to inject executable fields; no authentication to electerm is required, but the victim must open the bookmark or apply a sync. Successful exploitation gives the attacker arbitrary local code execution inside a terminal process on the victim's machine, with full read, write, and availability impact across both the local and any connected system scope. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-45058 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle electerm, in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 rating of 9.4 (Critical) and weighting it against each environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream release ships. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker delivers the malicious payload over the network, either by hosting a crafted bookmark JSON file for the victim to import or by compromising a network-accessible sync target such as a GitHub Gist or WebDAV endpoint.
AuthenticationNot required
No authentication to electerm or the affected service is required; the attacker only needs to place the malicious data where the victim can retrieve or import it.
Victim interactionRequired
The victim must take an action, either importing the malicious bookmark file or triggering a sync operation, which constitutes a social-engineering vector where the attacker induces the user to open or apply attacker-controlled data.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and condition-free once the malicious bookmark or sync payload is in place; no race conditions or special environmental factors are required.

Blast Radius

The attacker executes arbitrary commands inside a local pseudoterminal process on the victim's machine, gaining the same privileges as the electerm process.
All confidential data accessible to the running user, including SSH private keys, session tokens, and local files, is readable by the attacker.
The attacker can modify or delete files, inject commands into open terminal sessions, and alter electerm configuration or sync targets to persist access.
Connected remote systems reachable through electerm SSH or SFTP sessions are exposed to lateral movement from the compromised client.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-45058 at this time, the platform monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment electerm ships a remediated release. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls available to consider include network-policy isolation to block electerm containers from reaching untrusted external sync endpoints, egress filtering to restrict outbound connections to known-good Gist or WebDAV hosts, and disabling or gating the bookmark-import and sync features via electerm configuration until a patch is available. Customers should treat any imported bookmark JSON or sync-sourced configuration as untrusted input until the upstream project publishes a fix.

See how HarborGuard automates this

CVSS v4.0: 9.4
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

electerm / electerm
<= 3.8.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

https://github.com/electerm/electerm/security/advisories/GHSA-jgg9-rw32-44pj