CVE-2026-44424

MEDIUM

ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace

Title source: cna

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f

Scores

CVSS v3 6.5

EPSS 0.0025

EPSS Percentile 15.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (3)

shellhub/shellhub < 0.24.2

shellhub-io/shellhub 0 - 0.24.2Go

shellhub-io/shellhub < 0.24.2

Published May 13, 2026

Tracked Since May 14, 2026