CVE-2026-42452

Name of the Vulnerable Software and Affected Versions Termix versions prior to 2.1.0

Description Termix is a web-based server management platform featuring an SSH terminal, tunneling, and file editing. The '/users/login' endpoint issues a temporary JSON Web Token (JWT), specifically the temp token, for accounts with Time-based One-Time Password (TOTP) enabled. This token is intended to have a pendingTOTP state and should only be valid for the second-factor authentication flow. However, the authentication middleware incorrectly accepts this token on regular authenticated endpoints, allowing users to bypass the second factor and reducing authentication to a single factor (password).

Recommendations Update to version 2.1.0.