HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45746Published Modified CNA GitHub_M

CVE-2026-45746: Termix Vulnerable to Arbitrary Command Execution via Session Hijacking

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user's VPS (RCE). Version 2.3.2 patches the issue.

Metrics

CVSS v3.1
9.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Broken access control in Termix, a web-based server management platform, allows an authenticated attacker to hijack another user's active File Manager session by manipulating a client-controlled sessionId parameter that the backend fails to validate against the requesting user's identity. The vulnerability is reachable over the network with a low-privilege account, but requires the victim to have an active session open. Successful exploitation gives the attacker full read, write, upload, and command execution access on the victim's connected remote VPS. A patched-image rebuild at version 2.3.2 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-45746 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package Termix. Any image running a Termix version below 2.3.2 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.0 Critical and weighting it against each environment's compliance policy to determine urgency and ownership routing. Findings are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Termix 2.3.2 becomes available on HarborGuard for any environment running an affected version once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard can execute a rebuild, run a regression test suite, and open a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Termix web service over the network; the attack vector is network-exposed (AV:N).

  • AuthenticationRequired

    A low-privilege account is sufficient; the attacker must be authenticated to the Termix platform before manipulating the sessionId parameter (PR:L).

  • Victim interactionRequired

    The targeted user must have an active File Manager session open at the time of the attack, making victim interaction a prerequisite (UI:R).

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable with no race conditions or special environmental dependencies required (AC:L).

Blast Radius

  • Attacker reads arbitrary files from the victim's remote VPS filesystem, including credentials, private keys, and application secrets.
  • Attacker writes or overwrites files on the victim's VPS, enabling persistent backdoors or configuration tampering.
  • Attacker executes arbitrary commands on the victim's VPS through the hijacked SSH-backed File Manager session, achieving full remote code execution.
  • Confidentiality, integrity, and availability of the victim's VPS environment are all fully compromised (C:H, I:H, A:H) with scope extending beyond the Termix application itself (S:C).

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45746 is active across all connected registries and build pipelines, flagging any image that includes a Termix version below 2.3.2. Given the Critical CVSS score of 9.0 and the confirmed fix at version 2.3.2, a patched-image rebuild is available for affected environments. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild at the patched version, execute regression tests, and open a pull request against affected workloads. Median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy requires manual approval before remediation, the finding is surfaced in the customer's priority queue with the full CVSS breakdown and fix-version detail attached.

See how HarborGuard automates this
Affected packages
  • Termix-SSH / Termix
    < 2.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
References