CVE-2026-45746
Description
Termix File Manager's Broken Access Control allows attackers to hijack other users' sessions and achieve RCE on their VPS.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Termix File Manager's Broken Access Control allows attackers to hijack other users' sessions and achieve RCE on their VPS.
Vulnerability
Termix versions prior to 2.3.2 contain a Broken Access Control vulnerability in the File Manager functionality. This flaw stems from improper validation of the sessionId parameter, which is controlled by the client and is not bound to the authenticated user on the backend. This allows an attacker to manipulate the sessionId to access active File Manager sessions belonging to other users [1].
Exploitation
An attacker can exploit this vulnerability by intercepting a request to the File Manager and modifying the sessionId parameter to target another user's active session. The sessionId is described as a predictable numeric value. By sending a crafted request with a manipulated sessionId, an attacker can access files, upload files, or execute files on another user's remote VPS [1].
Impact
Successful exploitation of this vulnerability allows an attacker to gain unauthorized access to another user's remote filesystem and execute arbitrary commands on their VPS. This results in Remote Code Execution (RCE) with the privileges of the targeted user [1].
Mitigation
Termix version 2.3.2 addresses this vulnerability. Users are advised to update to version 2.3.2 or later. No other mitigation details are available in the provided references [1].
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<2.3.2+ 1 more
- (no CPE)range: <2.3.2
- (no CPE)range: <2.3.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The backend trusts a client-controlled session identifier without verifying its ownership."
Attack vector
An attacker must first be authenticated to the Termix application. The attacker then intercepts a request to the File Manager functionality, specifically noting the `sessionId` parameter. By modifying this `sessionId` to one belonging to another authenticated user, the attacker can access and manipulate that user's active File Manager sessions. This allows for unauthorized interaction with the remote filesystem and potentially direct command execution on another user's VPS [ref_id=1].
Affected code
The vulnerability lies within the File Manager functionality, specifically in how the `sessionId` parameter is handled. The advisory lists several affected endpoints including `/ssh/file_manager/ssh/listFiles`, `/ssh/file_manager/ssh/readFile`, `/ssh/file_manager/ssh/writeFile`, and `/ssh/file_manager/ssh/executeFile`, among others [ref_id=1].
What the fix does
Version 2.3.2 addresses this vulnerability by ensuring that each `sessionId` is bound to the authenticated user on the backend. Ownership is validated on every request, and access is rejected for sessions that do not belong to the authenticated user. Additionally, the system avoids predictable or enumerable identifiers and enforces authorization checks across all File Manager endpoints, preventing session hijacking [ref_id=1].
Preconditions
- authAttacker must have an authenticated account in Termix.
- configAttacker must have configured an SSH connection.
- inputAttacker must be able to intercept and modify network requests, specifically the `sessionId` parameter.
Reproduction
User A logs in, configures an SSH connection, and opens the File Manager to obtain their `sessionId`. User B then logs in, configures their SSH connection, and opens the File Manager. User B intercepts a request to `GET /ssh/file_manager/ssh/listFiles?sessionId=<ID>&path=/ HTTP/1.1`, modifies the `sessionId` to User A's `sessionId`, and sends the request. The server then returns files belonging to User A, demonstrating unauthorized access [ref_id=1].
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Termix SSH Platform: Seven Critical and High Vulnerabilities Disclosed TogetherVypr Intelligence · Jun 5, 2026