CVE-2026-45745

HIGH

Termix has improper certificate validation in Electron desktop client that enables MITM credential/token theft

Title source: cna

Description

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/Termix-SSH/Termix/security/advisories/GHSA-r9gw-3w87-mhh7

Scores

CVSS v3 8.0

EPSS 0.0013

EPSS Percentile 2.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-295

Status published

Products (2)

termix/termix 1.7.0

Termix-SSH/Termix >= 1.7.0, <= 2.2.1

Published Jun 05, 2026

Tracked Since Jun 06, 2026