How is CVE-2026-45745 exploited?

Network reachability (required): The attacker must be able to intercept network traffic between the Termix Desktop client and its configured server, requiring over-the-network positioning such as a compromised router, rogue Wi-Fi access point, or ARP/DNS poisoning on the local segment. Authentication (not-required): No account or credentials on the target Termix server are needed; the attacker operates at the network layer before any authentication takes place. Victim interaction (required): A legitimate Termix Desktop user must actively connect to their Termix server, such as by opening the application and logging in, giving the attacker traffic to intercept. Attack complexity (info): Attack complexity is HIGH because the attacker must successfully position themselves in the network path between the client and server, which requires overcoming environmental factors such as network topology, ARP tables, or DNS resolution before the intercept can occur.

What is the impact of CVE-2026-45745?

The attacker reads plaintext login credentials (usernames and passwords) submitted through the Termix Desktop login flow. The attacker captures live JWT and session tokens, which can be replayed to authenticate as the victim user without knowing their password. Because the scope is changed (S:C in the CVSS vector), the attacker gains access to the Termix server's managed resources, including SSH sessions, file contents, and tunnel configurations belonging to the victim account. The attacker can modify server responses in transit, injecting malicious content or altered commands into the victim's active SSH or file-editing sessions.

Back to search

HIGHCVE-2026-45745Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-45745: Termix has improper certificate validation in Electron desktop client that enables MITM credential/token theft

Q: Is CVE-2026-45745 patched?

Because no upstream fix has been published, HarborGuard re-checks the Termix advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears upstream. In the meantime, customers can apply compensating controls such as network-policy isolation and egress filtering to limit exposure of affected workloads.

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available.

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Improper certificate validation in the Termix Desktop (Electron) client allows a machine-in-the-middle attacker to intercept TLS-protected traffic between the client and a Termix server. The flaw was introduced in version 1.7.0, where TLS certificate checking is disabled entirely, and affects all releases through 2.2.1. A successful attacker who can position themselves between the client and server reads or modifies HTTPS traffic, stealing login credentials and active JWT or session tokens. No patched version has been published; HarborGuard tracks this advisory and will make a rebuilt image available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-45745 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected Termix versions (>= 1.7.0 and <= 2.2.1). Any container image in a customer registry or CI pipeline that packages the affected Termix Desktop client is flagged automatically.

Available

Triage

Triage is available using the CVSS v3.1 score of 8.0 (HIGH), weighted against each environment's compliance policy to prioritize findings appropriately. Resulting triage tickets are routed to the inbox configured for the relevant team within each customer organization.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Termix advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version appears upstream. In the meantime, customers can apply compensating controls such as network-policy isolation and egress filtering to limit exposure of affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to intercept network traffic between the Termix Desktop client and its configured server, requiring over-the-network positioning such as a compromised router, rogue Wi-Fi access point, or ARP/DNS poisoning on the local segment.
AuthenticationNot required
No account or credentials on the target Termix server are needed; the attacker operates at the network layer before any authentication takes place.
Victim interactionRequired
A legitimate Termix Desktop user must actively connect to their Termix server, such as by opening the application and logging in, giving the attacker traffic to intercept.
Attack complexityDetail
Attack complexity is HIGH because the attacker must successfully position themselves in the network path between the client and server, which requires overcoming environmental factors such as network topology, ARP tables, or DNS resolution before the intercept can occur.

Blast Radius

The attacker reads plaintext login credentials (usernames and passwords) submitted through the Termix Desktop login flow.
The attacker captures live JWT and session tokens, which can be replayed to authenticate as the victim user without knowing their password.
Because the scope is changed (S:C in the CVSS vector), the attacker gains access to the Termix server's managed resources, including SSH sessions, file contents, and tunnel configurations belonging to the victim account.
The attacker can modify server responses in transit, injecting malicious content or altered commands into the victim's active SSH or file-editing sessions.

How HarborGuard Handles This

Available on HarborGuard: because no fix version exists for CVE-2026-45745 as of publication, the platform monitors the Termix advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While no patch is available, customers can reduce exposure by applying Kubernetes network policies or firewall rules that restrict egress from Termix Desktop hosts to only known, trusted Termix server addresses; deploying the client exclusively on networks with enforced 802.1X or equivalent controls to reduce machine-in-the-middle positioning opportunities; and considering feature-flag gating or access controls that disable Termix Desktop use over untrusted networks until a patch is available. HarborGuard will surface a rebuild notification automatically when the upstream project ships a corrected release.

See how HarborGuard automates this

Affected packages

Termix-SSH / Termix
>= 1.7.0, <= 2.2.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References

https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7

Metrics

Get notified