Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.
Published: 2026-06-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker who knows a user’s account password to invoke the /users/totp/disable or /users/totp/backup‑codes endpoints and remove the requirement for a time‑based one‑time password. The attacker never needs the physical token or a valid TOTP code, so the MFA protection is eliminated, resulting in loss of confidentiality and integrity for all actions performed by the compromised account.

Affected Systems

Termix, the web‑based server management platform by Termix‑SSH, is affected in all releases prior to 2.3.2. The issue is fixed in release 2.3.2 and later versions.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity. Though the EPSS score is not available and the vulnerability is not listed in KEV, the attack vector depends solely on possession of a valid user password, which an adversary can obtain via phishing, credential stuffing, or a password hash leak. Once the password is known, the attacker can disable MFA without further user interaction, making exploitation straightforward and potentially undetected without monitoring.

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Termix to version 2.3.2 or later to apply the vendor patch.
  • Enforce strong password policies and multi‑factor authentication to reduce the chance of credential compromise.
  • Configure logging and alerts for /users/totp/disable and /users/totp/backup‑codes requests to detect abuse.

Generated by OpenCVE AI on June 5, 2026 at 19:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.
Title Termix's TOTP two-factor authentication can be disabled or bypassed using only the account password
Weaknesses CWE-308
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:02:39.042Z

Reserved: 2026-05-13T06:54:34.220Z

Link: CVE-2026-45749

cve-icon Vulnrichment

Updated: 2026-06-05T19:02:19.655Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T18:17:31.720

Modified: 2026-06-05T20:17:32.223

Link: CVE-2026-45749

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T19:45:03Z

Weaknesses