CVE-2026-45749
HIGHDescription
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| termix | termix |
References
Advisories & Patches
Exploits
Other References
Frequently Asked Questions
What is CVE-2026-45749? +
How severe is CVE-2026-45749? +
What products are affected by CVE-2026-45749? +
How do I check if I'm vulnerable to CVE-2026-45749? +
Related Vulnerabilities
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 …
Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled …
An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing …
This vulnerability exists in Shilpi Client Dashboard due to implementation of inadequate authentication mechanism in the login module wherein access …
IBM PowerSC 1.3, 2.0, and 2.1 uses single-factor authentication which can lead to unnecessary risk of compromise when compared with …
LDAP users on IBM Spectrum Virtualize 8.5 which are configured to require multifactor authentication can still authenticate to the CIM …