Termix has improper certificate validation in Electron desktop client that enables MITM credential/token theft
CVE-2026-45745

8HIGH

Key Information:

Vendor: Termix-ssh
Status: Termix
Vendor: CVE Published:; 5 June 2026

What is CVE-2026-45745?

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Starting in version 1.7.0, Termix Desktop (Electron) disables TLS certificate validation, allowing a machine-in-the-middle attacker to intercept and modify HTTPS traffic to the configured Termix server. This can lead to credential theft and JWT/session theft during login and normal use. As of time of publication, no known patched versions are available.

Affected Version(s)

Termix >= 1.7.0, <= 2.2.1

References

https://github.com/Termix-SSH/Termix/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 5, 2026
Vulnerability Reserved
May 13, 2026

CVE-2026-45745 Data

JSON

Termix-ssh

What is CVE-2026-45745?

Affected Version(s)

References

CVSS V3.1

Timeline