HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45744Published Modified CNA GitHub_M

CVE-2026-45744: Termix has an OS Command Injection in File Manager resolvePath endpoint

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/file_manager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command construction, which does not prevent $(...) and backtick command substitution. Any authenticated user with an active File Manager SSH session can execute arbitrary commands on the connected remote host. Version 2.3.2 patches the issue.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection in Termix, a web-based server management platform with SSH terminal and file management capabilities. The vulnerability is reachable over the network by any authenticated user holding a low-privilege account with an active File Manager SSH session, requiring no victim interaction. Successful exploitation gives the attacker arbitrary command execution on the remote host connected through Termix, with full control over confidentiality, integrity, and availability of that system, and with scope extending beyond the Termix process itself. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment upstream ships a release.

HarborGuard Coverage

Detection

Detection of CVE-2026-45744 is available across every HarborGuard environment - the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Termix. Any image carrying an affected Termix version is flagged automatically as new scan results arrive.

Available
Triage

Triage is available with a CVSS v3.1 score of 9.9 (Critical), weighted against each customer environment's compliance policy to reflect actual exposure level. Findings are routable to the appropriate team inbox within each customer org based on configured ownership and severity thresholds.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix release appears upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once the patch is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network, so an attacker must be able to reach the Termix web service from a network-accessible location.

  • AuthenticationRequired

    Any low-privilege Termix account with an active File Manager SSH session is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    The attacker sends a crafted request directly to the API endpoint and does not need any action from another user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free - the double-quote escaping bypass using $(...) or backtick substitution requires no race conditions or special environmental factors.

Blast Radius

  • Attacker executes arbitrary OS commands on the remote host connected through Termix, gaining full shell-level access to that system.
  • All files, credentials, secrets, and data stored on the remote host are readable and exfiltrable by the attacker.
  • The attacker can modify or delete any file on the remote host, including configuration files, application data, and stored keys.
  • The remote host and any services running on it can be crashed, reconfigured, or used as a pivot point into adjacent systems, given the Changed scope of the vulnerability.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-45744 is tracked continuously with no upstream fix currently published. On every advisory ingest cycle, HarborGuard re-checks the Termix upstream for a patch release and will trigger a patched-image rebuild automatically the moment one appears - customers with auto-remediation enabled will receive the rebuild, regression test run, and a PR opened against affected workloads without manual steps. While no patch is available, compensating controls worth considering include restricting network access to the Termix web interface using Kubernetes NetworkPolicy or equivalent ingress rules to limit which principals can reach the resolvePath endpoint, enforcing egress filtering on hosts connected through File Manager sessions to reduce lateral movement opportunity, and auditing which accounts hold active SSH sessions through Termix to limit the pool of users who can reach the vulnerable code path. HarborGuard will surface a patch-available notification and initiate the rebuild pipeline as soon as the upstream fix is confirmed.

See how HarborGuard automates this
Affected packages
  • Termix-SSH / Termix
    < 2.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References