ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of...

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.

Basic Information

ID CVE-2026-44424

Source GitHub_M

Published May 13, 2026 at 21:06

Affected Product

Vendor shellhub-io

Product shellhub

Version < 0.24.2

Affected Versions shellhub-io shellhub < 0.24.2

CWE Classification

CWE-639

References

github.com /shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f

{
    "lastseen": "",
    "description": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.",
    "published": "2026-05-13T21:06:49.859Z",
    "modified": "2026-05-13T21:06:49.859Z",
    "type": "cve",
    "title": "ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace",
    "source": "GitHub_M",
    "references": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f",
    "id": "CVE-2026-44424",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "shellhub-io shellhub < 0.24.2",
    "sourceHref": "",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "shellhub",
    "version": "< 0.24.2",
    "vendor": "shellhub-io",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace_CVE-2026-44424