PatchSiren cyber security CVE debrief
CVE-2026-45746 Termix-SSH CVE debrief
CVE-2026-45746 is a critical Broken Access Control vulnerability in the Termix web-based server management platform. The vulnerability exists in the File Manager functionality prior to version 2.3.2. An attacker can manipulate the sessionId parameter to access active File Manager sessions belonging to other users, allowing unauthorized interaction with another user's remote filesystem and enabling direct command execution on another user's VPS (RCE).
- Vendor
- Termix-SSH
- Product
- Termix
- CVSS
- CRITICAL 9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-09
Who should care
Users of Termix versions prior to 2.3.2 should apply the patch immediately to prevent exploitation.
Technical summary
The backend trusts a client-controlled identifier without verifying that it belongs to the authenticated user. This allows an attacker to manipulate the value and access active File Manager sessions belonging to other users. Since these sessions are tied to SSH connections to remote VPS instances, exploitation allows unauthorized interaction with another user's remote filesystem.
Defensive priority
Critical
Recommended defensive actions
- Upgrade to Termix version 2.3.2 or later.
- Review and restrict access to File Manager functionality.
Evidence notes
CVE-2026-45746 has a CVSS score of 9 and is classified as CRITICAL.
Official resources
-
CVE-2026-45746 CVE record
CVE.org
-
CVE-2026-45746 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Mitigation, Vendor Advisory
CVE-2026-45746 was published on 2026-06-05T18:17:30.587Z and modified on 2026-06-09T16:16:41.730Z.