CVE-2026-45745: CWE-295: Improper Certificate Validation in Termix-SSH Termix
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available.
AI Analysis
Technical Summary
CVE-2026-45745 is an improper certificate validation vulnerability (CWE-295) in Termix Desktop (Electron) starting from version 1.7.0 up to 2.2.1. The application disables TLS certificate validation, which allows attackers positioned in the network path to perform man-in-the-middle attacks on HTTPS connections to the Termix server. This can result in the interception and modification of sensitive data, including user credentials and JWT/session tokens, compromising user authentication and session integrity.
Potential Impact
Successful exploitation allows an attacker to intercept and alter HTTPS traffic between the Termix Desktop client and the server, leading to credential theft and session hijacking. This compromises user authentication and potentially grants unauthorized access to the server management platform. The CVSS score of 8.0 reflects high impact on confidentiality and integrity, with no impact on availability.
Mitigation Recommendations
As of the publication date, no patches or official fixes are available for this vulnerability. Users should avoid using affected versions (1.7.0 through 2.2.1) of Termix Desktop until a vendor update is released. Monitoring the vendor advisory for updates is recommended. Network-level mitigations such as using trusted networks or VPNs may reduce exposure but do not fully mitigate the risk due to disabled certificate validation.
CVE-2026-45745: CWE-295: Improper Certificate Validation in Termix-SSH Termix
Description
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available.
CVSS v3.1
Score 8.0high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-45745 is an improper certificate validation vulnerability (CWE-295) in Termix Desktop (Electron) starting from version 1.7.0 up to 2.2.1. The application disables TLS certificate validation, which allows attackers positioned in the network path to perform man-in-the-middle attacks on HTTPS connections to the Termix server. This can result in the interception and modification of sensitive data, including user credentials and JWT/session tokens, compromising user authentication and session integrity.
Potential Impact
Successful exploitation allows an attacker to intercept and alter HTTPS traffic between the Termix Desktop client and the server, leading to credential theft and session hijacking. This compromises user authentication and potentially grants unauthorized access to the server management platform. The CVSS score of 8.0 reflects high impact on confidentiality and integrity, with no impact on availability.
Mitigation Recommendations
As of the publication date, no patches or official fixes are available for this vulnerability. Users should avoid using affected versions (1.7.0 through 2.2.1) of Termix Desktop until a vendor update is released. Monitoring the vendor advisory for updates is recommended. Network-level mitigations such as using trusted networks or VPNs may reduce exposure but do not fully mitigate the risk due to disabled certificate validation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-13T06:54:34.220Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a23130be29bf47b50a3ece4
Added to database: 6/5/2026, 6:18:51 PM
Last enriched: 6/5/2026, 6:34:00 PM
Last updated: 6/6/2026, 4:22:21 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.