Weakness in Termix Management Platform Allows Bypassing of Two-Factor Authentication
CVE-2026-42452

8.1HIGH

Key Information:

Vendor: Termix-ssh
Status: Termix
Vendor: CVE Published:; 8 May 2026

What is CVE-2026-42452?

The Termix Server Management Platform, which offers an array of web-based server management features, has a security issue where a temporary JSON Web Token (JWT) is generated for accounts using Time-based One-Time Password (TOTP) authentication. This token, meant to be transient and limited to the TOTP verification flow, is inadvertently accepted by the authentication middleware on regular endpoints. This could lead to a scenario where two-factor authentication is weakened, effectively allowing unauthorized access to accounts. This vulnerability has been patched in version 2.1.0, reinforcing the importance of updating to maintain robust security standards.

Affected Version(s)

Termix < 2.1.0

References

https://github.com/Termix-SSH/Termix/security/advisories/...

x_refsource_CONFIRM

https://github.com/Termix-SSH/Termix/releases/tag/release...

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42452 Data

JSON

Termix-ssh

What is CVE-2026-42452?

Affected Version(s)

References

CVSS V3.1

Timeline