HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45749Published Modified CNA GitHub_M

CVE-2026-45749: Termix's TOTP two-factor authentication can be disabled or bypassed using only the account password

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass affecting Termix, a web-based server management platform with SSH terminal and file editing capabilities. The vulnerability is reachable over the network by any authenticated low-privilege account, requiring no victim interaction. A successful attacker can disable TOTP two-factor authentication entirely or regenerate backup codes without possessing the TOTP device, effectively stripping the account of its second factor and opening it to full account takeover. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-45749 is available across every HarborGuard environment. Ingestion from upstream advisory feeds happens within minutes of publication, and matching against images in customer registries, CI pipelines, and custom-built Termix images is performed automatically at each scan cycle.

Available
Triage

Triage capability is available using the CVSS v3.1 score of 8.1 (HIGH), weighted against each customer environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a remediated release. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered without requiring manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoints are exposed over the network; an attacker must be able to send HTTP requests to the Termix instance.

  • AuthenticationRequired

    A valid low-privilege account password is sufficient; no admin rights are needed, but the attacker must have obtained the target account's password beforehand.

  • Victim interactionNot required

    No victim interaction is required; the attacker sends API requests directly without any user needing to click a link or take any action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory layout dependencies.

Blast Radius

  • Attacker disables TOTP on the target account, removing the second authentication factor entirely and reducing login to password-only.
  • Attacker regenerates backup codes, invalidating any previously issued codes held by the legitimate user and locking out recovery options.
  • With 2FA stripped, any subsequent password-only login grants full access to the Termix dashboard, including SSH terminals, tunneling sessions, and file editing on managed servers.
  • Confidentiality and integrity of all servers managed through the compromised Termix account are exposed; the attacker gains interactive shell access to connected infrastructure.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-45749 at this time, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Termix publishes version 2.3.2 or later. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads without manual steps. In the interim, compensating controls worth considering include network-policy isolation that restricts access to Termix instances to trusted IP ranges, egress filtering to limit lateral movement from a compromised session, and organizational controls that reduce password-reuse risk given that the attack chain depends on prior password compromise. HarborGuard will surface the patched rebuild to affected environments as soon as the upstream fix is confirmed.

See how HarborGuard automates this
Affected packages
  • Termix-SSH / Termix
    < 2.3.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References