CVE-2026-44423
MEDIUMShellHub: Cross-tenant IDOR in `GET /api/sessions/:uid` discloses SSH session data
Title source: cnaDescription
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. This vulnerability is fixed in 0.24.2.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q
Scores
CVSS v3
6.5
EPSS
0.0025
EPSS Percentile
15.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-639
Status
published
Products (3)
shellhub/shellhub
< 0.24.2
shellhub-io/shellhub
0 - 0.24.2Go
shellhub-io/shellhub
< 0.24.2
Published
May 13, 2026
Tracked Since
May 14, 2026