VYPR
← All advisories
Critical severity9.8NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-45748

CVE-2026-45748

Description

Termix 2.1.0 and earlier suffer from OS command injection via the SSH tunnel connect endpoint, allowing persistent RCE.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Termix 2.1.0 and earlier suffer from OS command injection via the SSH tunnel connect endpoint, allowing persistent RCE.

Vulnerability

Termix versions prior to 2.3.2 contain a vulnerability in the POST /ssh/tunnel/connect endpoint. This endpoint constructs an SSH tunnel command by directly interpolating user-controlled fields such as endpointIP, endpointUsername, and password into a shell command without proper escaping. This allows for persistent OS command injection on the source SSH host [2].

Exploitation

An attacker can exploit this vulnerability by creating a host record with malicious input in fields like endpointIP. For example, by setting endpointIP to 127.0.0.1$(id>/tmp/pwn), an attacker can inject commands. After configuring a tunnel with this malicious host as the endpoint and connecting it, the injected command will be executed on the source SSH host. Auto-start tunnels can provide persistence for the payload across Termix process restarts [2].

Impact

Successful exploitation allows an attacker to achieve arbitrary command execution on the source SSH host. The attacker gains the privilege level of the user running Termix on that host. Persistent Remote Code Execution (RCE) is possible through the use of auto-start tunnels, which reapply the payload upon every Termix process restart [2].

Mitigation

Termix version 2.3.2 has been released to address this vulnerability [1]. Users are advised to update to version 2.3.2 or later. If updating is not immediately possible, potential workarounds could involve sanitizing or validating user-controlled input before it is used in shell commands, though no specific workarounds are detailed in the provided references.

References
  1. Release release-2.3.2 · Termix-SSH/Termix
  2. Remote Code Execution via SSH Tunnel Forward Command Injection

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Termix SSH/Termixreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.3.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"User-controlled fields are directly interpolated into an OS command without proper sanitization."

Attack vector

An attacker can create a host record with malicious input in fields like `endpointIP`. By then configuring and connecting an SSH tunnel using this record, the malicious input is executed as part of a shell command on the source SSH host. This allows for arbitrary command execution, and if auto-start tunnels are used, the payload can persist across Termix process restarts [ref_id=1].

Affected code

The vulnerability lies within the `POST /ssh/tunnel/connect` endpoint, specifically in the construction of the `tunnelCmd` variable in `src/backend/ssh/tunnel.ts` lines 851-869. This command interpolates user-controlled fields such as `endpointIP`, `endpointUsername`, and `password` directly into the shell command without escaping [ref_id=1].

What the fix does

The advisory indicates that the vulnerability is fixed in version 2.3.2. The recommended remediation is to avoid assembling shell commands from host record fields and instead use the ssh2 library's `forwardOut`/`forwardIn` methods. Alternatively, all values should be properly shell-escaped before interpolation [ref_id=1].

Preconditions

  • authThe attacker needs to be able to create host records, which requires authentication to Termix.
  • inputThe attacker must provide malicious input in the host record fields used for tunnel configuration.

Reproduction

Steps to Reproduce:

1. Create a host record with a malicious IP: `curl -X POST http://target/host/db/host -H "Cookie: jwt=<jwt>" -H "Content-Type: application/json" -d '{"name":"evilEP","ip":"127.0.0.1$(id>/tmp/pwn)","port":22,"username":"u","authType":"password","password":"x"}'` 2. Configure a tunnel with this host as the endpoint and connect it.

The source SSH host will now contain `/tmp/pwn` with the output of the `id` command [ref_id=1].

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

1