Termix CVE-2026-42452 Bypasses 2FA with Temporary JWT

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-304
Termix CVE-2026-42452 Bypasses 2FA with Temporary JWT

The National Vulnerability Database has disclosed CVE-2026-42452, a high-severity vulnerability (CVSS 8.1) in Termix, a web-based server management platform. This flaw, present in versions prior to 2.1.0, allows an attacker to bypass two-factor authentication (2FA) for accounts where it is enabled.

The issue stems from the /users/login endpoint issuing a temporary JWT (temp_token) for TOTP-enabled accounts. This token, intended solely for the second-factor flow, carries a pendingTOTP state. However, the authentication middleware incorrectly accepts this token on regular authenticated endpoints, effectively reducing 2FA-protected accounts to single-factor (password-only) authentication. This completely undermines the security posture for users relying on TOTP in Termix.

This is a critical flaw. For an attacker, compromising a password now means full access, even if 2FA is configured. Defenders need to recognize that this vulnerability turns a layered defense into a single point of failure, making Termix instances a prime target for lateral movement or data exfiltration if credentials are breached.

What This Means For You

  • If your organization uses Termix, you need to immediately verify your version. Prior to 2.1.0, your 2FA is effectively useless. Patch to Termix version 2.1.0 or newer without delay. Audit logs for any suspicious logins using `temp_token` where a TOTP challenge was not completed.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Abuse Cloud Infrastructure: SaaS Accounts Initial Access

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Termix CVE-2026-42452 - Temporary JWT Used for Unauthorized Access

Sigma YAML — free preview 
title: Termix CVE-2026-42452 - Temporary JWT Used for Unauthorized Access
id: scw-2026-05-08-ai-1
status: experimental
level: high
description: |
  This rule detects the exploitation of CVE-2026-42452 in Termix. The vulnerability allows an attacker to bypass 2FA by using a temporary JWT (temp_token) with a 'pendingTOTP' state on regular authenticated endpoints. This detection specifically looks for POST requests to the /api/v1/users/login endpoint that include 'pendingTOTP' in the query parameters, indicating the use of the vulnerable temporary token for authentication.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-42452/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: authentication
detection:
  selection:
      cs-uri|contains:
          - '/api/v1/users/login'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
  selection_base:
      cs-uri-query|contains:
          - 'pendingTOTP'
      condition: selection AND selection_base
  
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-42452 Auth Bypass Termix web-based server management platform
CVE-2026-42452 Auth Bypass Termix versions prior to 2.1.0
CVE-2026-42452 Auth Bypass Vulnerable endpoint: /users/login issuing temp_token
CVE-2026-42452 Auth Bypass Bypass of TOTP 2FA due to auth middleware accepting temp_token on regular authenticated endpoints

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 09, 2026 at 02:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma