VYPR
patchPublished Jun 5, 2026· 1 source

Termix SSH Platform: Seven Critical and High Vulnerabilities Disclosed Together

Key findings • Seven critical and high severity vulnerabilities disclosed in Termix SSH platform. • Critical OS command injection flaws in file manager and SSH tunnel endpoints. • Broken …

Key findings

  • Seven critical and high severity vulnerabilities disclosed in Termix SSH platform.
  • Critical OS command injection flaws in file manager and SSH tunnel endpoints.
  • Broken access control allows unauthorized session access.
  • MFA operations vulnerable to password-based bypass.
  • Termix Desktop (Electron) susceptible to MITM attacks due to disabled TLS validation.
  • All vulnerabilities patched in Termix version 2.3.2.

On June 5, 2026, a batch of seven vulnerabilities affecting the Termix web-based server management platform was disclosed, with all issues patched in version 2.3.2. The vulnerabilities, ranging in severity from High to Critical, impact various components including the file manager, SSH tunneling, and user authentication.

Several critical vulnerabilities stem from insecure handling of user-supplied input within the file manager and SSH functionalities. CVE-2026-45750 and CVE-2026-45744, both rated Critical, exploit the GET /ssh/file_manager/ssh/resolvePath endpoint. CVE-2026-45750 involves unsafe path parameter processing that is embedded into a shell command, while CVE-2026-45744 specifically targets OS command injection due to improper double-quote escaping for shell command construction. These flaws could allow attackers to execute arbitrary commands on the server.

Another critical vulnerability, CVE-2026-45748, lies within the POST /ssh/tunnel/connect endpoint. This flaw allows for the construction of SSH tunnel commands by directly interpolating user-controlled fields such as endpointIP, endpointUsername, and password. This could lead to unauthorized access or manipulation of SSH tunnels.

Broken Access Control is also a significant concern, highlighted by CVE-2026-45746 and CVE-2026-45743. CVE-2026-45746, a Critical vulnerability, arises from improper validation of the sessionId parameter in the File Manager component, potentially allowing unauthorized access. Similarly, CVE-2026-45743, rated High, indicates that 16 file-manager endpoints do not verify user ownership of the SSH session identified by sessionId, enabling authenticated attackers to access other users' sessions.

User authentication and security protocols are also affected. CVE-2026-45749, a High severity vulnerability, permits attackers to use the account password as the sole authentication factor for Multi-Factor Authentication (MFA) critical operations on the POST /users/totp/disable and POST /users/totp/backup-codes endpoints. Additionally, CVE-2026-45745, also High, affects Termix Desktop (Electron) versions starting from 1.7.0, where disabled TLS certificate validation opens the door to Man-in-the-Middle attacks, allowing interception and modification of HTTPS traffic.

All seven vulnerabilities were addressed in Termix version 2.3.2. Users are strongly advised to update to this version to mitigate the risks associated with these critical and high severity flaws. The coordinated disclosure of these issues highlights potential widespread security weaknesses within the platform prior to the latest update.

Synthesized by Vypr AI