Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user's VPS (RCE). Version 2.3.2 patches the issue.
Published: 2026-06-05
Score: 9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in the Termix web-based management platform permits an attacker to gain remote code execution rights on a victim’s VPS. The back‑end accepts a sessionId parameter that is supplied by the client and is not verified against the actively authenticated user. As a result, an attacker can forge the sessionId of another user’s active File Manager session and invoke file editing, uploading, or execution functions. This broken access control escalates to full control over the victim’s remote file system, effectively giving the attacker the same privileges as the original user’s SSH session.

Affected Systems

The flaw exists in Termix versions earlier than 2.3.2. All installations of Termix that expose the File Manager functionality are affected, regardless of deployment size. Administrators using Termix to manage multiple VPS instances should consider all users that could connect via SSH.

Risk and Exploitability

The CVSS score of 9.0 classifies this as high severity, and the vulnerability is listed as not yet part of the CISA KEV catalog. Exploitation requires the attacker to target a known or guessable sessionId and to interact with the Termix web interface, a reasonable attack vector for a user with access to the deployment or via phishing. Because EPSS is not available, the concrete probability of exploitation is uncertain, but the high CVSS and the ability to execute arbitrary commands on customer VPS make the risk significant.

Generated by OpenCVE AI on June 5, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Termix 2.3.2 update or later to fix the sessionId validation flaw
  • Disable or lock the File Manager feature in the platform configuration until the patch is applied, preventing file manipulation via the web UI
  • Implement network segmentation or SSH connection monitoring to detect and contain any unauthorized session hijacking attempts

Generated by OpenCVE AI on June 5, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem. Because the File Manager exposes functionality such as file reading, writing, uploading, and execution, this vulnerability enables direct command execution on another user's VPS (RCE). Version 2.3.2 patches the issue.
Title Termix Vulnerable to Arbitrary Command Execution via Session Hijacking
Weaknesses CWE-284
CWE-639
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T17:59:23.593Z

Reserved: 2026-05-13T06:54:34.220Z

Link: CVE-2026-45746

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T18:17:30.587

Modified: 2026-06-05T19:00:25.007

Link: CVE-2026-45746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T19:45:03Z

Weaknesses