How is CVE-2026-45743 exploited?

Network reachability (required): The attacker must reach the Termix web application over the network; the vulnerable file-manager endpoints are HTTP-accessible services. Authentication (required): Any low-privilege Termix account is sufficient; the attacker does not need administrator rights, only a valid authenticated session of their own. Victim interaction (not-required): No action is required from the victim; the attacker calls the vulnerable endpoints directly without any social-engineering step. Attack complexity (info): The exploit is reliable and condition-free once the attacker obtains or guesses a target session ID; no race conditions or special memory layout requirements exist.

What is the impact of CVE-2026-45743?

Reads arbitrary files on the victim's connected SSH host, including credentials, private keys, and application configuration. Writes or overwrites files on the victim's SSH host, enabling persistent backdoors or configuration tampering. Deletes files on the victim's SSH host, which can destroy application data or disrupt running services. Executes files on the victim's SSH host through the file-manager execute endpoint, achieving remote code execution in the victim's session context.

Back to search

HIGHCVE-2026-45743Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-45743: Termix has a File-Manager Session Hijack via Missing Ownership Check (IDOR)

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by `sessionId`. An authenticated attacker who knows or guesses another user's active `sessionId` can read, write, delete, download, and execute files on the victim's connected SSH host. Version 2.3.2 patches the issue.

CVSS v3.1: 8.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is an Insecure Direct Object Reference (IDOR) vulnerability in Termix, a web-based server management platform. An authenticated attacker who knows or can guess another user's active session ID can call any of 16 file-manager API endpoints without owning that session, because the server performs no ownership check. Successful exploitation gives the attacker full read, write, delete, download, and execute access to files on the victim's connected SSH host. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-45743 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including internally built images derived from Termix. No manual feed configuration is required to gain coverage.

Available

Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) using the published v3.1 vector and can weight that score further against each customer's compliance policy (for example, elevated urgency for environments tagged as internet-facing or multi-tenant). Triage findings are routed to the team or inbox designated in each customer org's notification settings.

Available

Patch

No fix version has been published upstream for CVE-2026-45743 yet. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release, with auto-remediation customers receiving a rebuild, regression-test run, and a PR opened against affected workloads at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Termix web application over the network; the vulnerable file-manager endpoints are HTTP-accessible services.
AuthenticationRequired
Any low-privilege Termix account is sufficient; the attacker does not need administrator rights, only a valid authenticated session of their own.
Victim interactionNot required
No action is required from the victim; the attacker calls the vulnerable endpoints directly without any social-engineering step.
Attack complexityDetail
The exploit is reliable and condition-free once the attacker obtains or guesses a target session ID; no race conditions or special memory layout requirements exist.

Blast Radius

Reads arbitrary files on the victim's connected SSH host, including credentials, private keys, and application configuration.
Writes or overwrites files on the victim's SSH host, enabling persistent backdoors or configuration tampering.
Deletes files on the victim's SSH host, which can destroy application data or disrupt running services.
Executes files on the victim's SSH host through the file-manager execute endpoint, achieving remote code execution in the victim's session context.

How HarborGuard Handles This

Available on HarborGuard: any image in a customer registry or pipeline that includes Termix prior to version 2.3.2 is flagged immediately upon CVE ingestion. Because no upstream fix has been published, a patched-image rebuild is not yet available; HarborGuard re-checks the advisory on every ingest cycle and will surface the rebuild automatically when the maintainer ships a remediated release. In the interim, customers can apply compensating controls through HarborGuard network-policy suggestions: isolating Termix instances behind a private-network boundary, restricting egress from Termix containers to known SSH targets only, and ensuring session IDs are generated with sufficient entropy and rotated on logout. For customers who opt into auto-remediation, the moment a fix version is confirmed upstream, HarborGuard will trigger a rebuild, run regression tests, and open a pull request against affected workloads without requiring manual intervention.

See how HarborGuard automates this

Affected packages

Termix-SSH / Termix
< 2.3.2

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

Metrics

Get notified