CVE-2026-45745

An attacker must be in a network path to intercept HTTPS traffic to the Termix server, such as via a malicious Wi-Fi network or proxy [ref_id=1]. The attacker then intercepts the victim's connection to the Termix server using an untrusted or self-signed certificate. When the victim opens Termix Desktop and connects to the server, the application will succeed despite the invalid certificate, allowing the attacker to capture or modify authentication and API traffic [ref_id=1].

The vulnerability exists in the Termix Desktop (Electron) client. Specifically, global ignore flags in Electron startup such as '--ignore-certificate-errors', '--ignore-ssl-errors', and '--ignore-certificate-errors-spki-list' are used. Additionally, custom HTTPS logic sets 'rejectUnauthorized: false' and 'checkServerIdentity: () => undefined' [ref_id=1]. These settings are configured in the electron main process setup and affect the desktop authentication iframe flow.

The advisory does not specify any patched versions or provide details on a fix. It states that as of the time of publication, no known patched versions are available. Therefore, users are advised to avoid connecting to remote Termix servers over untrusted networks.

1. Place an attacker in the network path (e.g., malicious Wi-Fi/proxy). 2. Intercept victim HTTPS connection to configured Termix server with an untrusted/self-signed cert. 3. Open Termix Desktop and connect/login to that server. 4. Observe connection succeeds despite invalid cert. 5. Capture/modify auth/API traffic to obtain credentials or JWT [ref_id=1].