CVE-2026-45746
Broken Access Control in Termix File Manager
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| termix | termix | to 2.3.2 (exc) |
| termix | termix | to 2.1.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to other users' remote filesystems and enables remote code execution on their VPS instances due to broken access control in the Termix File Manager. This unauthorized access to sensitive data and systems could lead to violations of data protection and privacy regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Specifically, the improper validation of session identifiers and the ability for attackers to hijack sessions may result in unauthorized disclosure, modification, or destruction of protected data, undermining compliance with confidentiality, integrity, and availability requirements mandated by these standards.
Can you explain this vulnerability to me?
CVE-2026-45746 is a critical vulnerability in the Termix SSH file manager that affects versions up to 2.1.0. The issue arises because the sessionId parameter, which is controlled by the client, is not properly validated or bound to the authenticated user on the backend. This allows an attacker to manipulate the sessionId value to hijack active File Manager sessions belonging to other users.
Since these sessions are connected to SSH connections on remote VPS instances, an attacker can gain unauthorized access to another user's remote filesystem. This includes the ability to read, write, upload, and execute files, effectively enabling remote code execution (RCE) on the victim's VPS.
The vulnerability stems from improper access control and authorization bypass due to trusting a client-controlled identifier without verifying ownership.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to your remote VPS filesystem through hijacked File Manager sessions. An attacker can read, modify, upload, or delete files on your server.
More critically, the attacker can execute arbitrary commands remotely on your VPS, leading to full remote code execution (RCE). This can compromise the confidentiality, integrity, and availability of your server and any data or services it hosts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying manipulation or unauthorized use of the sessionId parameter in Termix File Manager sessions. Since the sessionId is client-controlled and predictable, monitoring HTTP requests to the File Manager endpoints for unusual or repeated sessionId values that do not belong to the authenticated user can indicate exploitation attempts.
Commands or tools to detect this might include capturing and analyzing HTTP traffic to the Termix server, for example using tools like tcpdump or Wireshark to filter requests to the File Manager endpoints and inspect sessionId parameters.
Additionally, reviewing server logs for access patterns where sessionId values are used by multiple different user accounts or IP addresses may help identify suspicious activity.
Specific commands could be:
- tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep sessionId
- grep 'sessionId=' /var/log/termix/access.log | sort | uniq -c | sort -nr
- Use web application scanners or custom scripts to test if sessionId values can be manipulated to access other users' sessions.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Termix to version 2.3.2 or later, where the vulnerability has been patched.
Until the upgrade can be performed, restrict access to the Termix File Manager functionality to trusted users only and monitor for suspicious sessionId usage.
Additionally, consider implementing network-level controls such as firewall rules to limit access to the Termix server and enforce strong authentication mechanisms.
The root cause is improper validation of the sessionId parameter, so ensuring that session identifiers are bound to authenticated users and are not predictable is critical.