HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45748Published Modified CNA GitHub_M

CVE-2026-45748: Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /ssh/tunnel/connect` endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields (`endpointIP`, `endpointUsername`, `password`) directly into a shell command without escaping, allowing persistent OS command injection on the source SSH host. Version 2.3.2 patches the issue.

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Command injection in Termix, a web-based server management platform with SSH terminal and tunneling capabilities, allows an unauthenticated remote attacker to inject arbitrary OS commands through the POST /ssh/tunnel/connect endpoint. The endpoint interpolates user-controlled fields (endpointIP, endpointUsername, password) directly into a shell command without sanitization; the vulnerability is reachable over the network with no credentials required. Successful exploitation gives the attacker persistent OS-level code execution on the source SSH host. A patched-image rebuild at version 2.3.2 is available on HarborGuard for environments running an affected version of Termix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Termix or its dependencies.

Available
Triage

HarborGuard scores this finding at CVSS 9.8 Critical and weights it against each environment's compliance policy to determine escalation priority; routing to the appropriate team inbox inside each customer organization is available automatically based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream project ships a fix. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoint is exposed over the network; an attacker must be able to send HTTP requests to the Termix service to exploit it.

  • AuthenticationNot required

    No credentials or session token are needed; the POST /ssh/tunnel/connect endpoint accepts unauthenticated requests.

  • Victim interactionNot required

    Exploitation is fully server-side and requires no action from any user or administrator.

  • Attack complexityDetail

    The exploit is reliable and condition-free; no race conditions, memory layout knowledge, or environmental factors are required to inject commands successfully.

Blast Radius

  • The attacker executes arbitrary OS commands with the privileges of the Termix process on the source SSH host, enabling full host compromise.
  • All secrets stored or accessible on that host, including SSH keys, credentials cached in environment variables, and configuration files, are readable.
  • The attacker can modify or delete files on the host, tamper with SSH tunnel configurations, and pivot to downstream systems reachable through configured tunnels.
  • The Termix service and any co-located services can be crashed or disabled, causing a loss of management access to all systems administered through the platform.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-45748 has been published yet, HarborGuard continuously monitors the advisory and will make a patched-image rebuild available as soon as version 2.3.2 or a later fix is released by the Termix project. In the interim, compensating controls are strongly advised: apply network policy to restrict access to the Termix service to trusted IP ranges only, enforce egress filtering on the host running Termix to limit lateral movement if the endpoint is reached, and consider disabling the SSH tunnel feature via application configuration if it is not operationally required. For customers with auto-remediation enabled, the moment an upstream patch is confirmed, HarborGuard will trigger a rebuilt image, run regression tests, and open a PR against affected workloads without manual intervention. Given the critical CVSS score of 9.8 and the absence of any authentication barrier, this advisory should be treated as high priority for triage and compensating-control deployment.

See how HarborGuard automates this
Affected packages
  • Termix-SSH / Termix
    < 2.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References