CVE-2026-44426

MEDIUM

ShellHub: Cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check

Title source: cna

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope. The handler conditionally skips the membership check when the user ID (X-ID) is absent, which is exactly the case for API Key authentication. This vulnerability is fixed in 0.24.2.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/shellhub-io/shellhub/security/advisories/GHSA-vwx9-7qcf-gg7f

Scores

CVSS v3 6.5

EPSS 0.0031

EPSS Percentile 22.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (3)

shellhub/shellhub < 0.24.2

shellhub-io/shellhub 0 - 0.24.2Go

shellhub-io/shellhub < 0.24.2

Published May 13, 2026

Tracked Since May 14, 2026