CVE-2026-44423 - Vulnerability Details

- ShellHub: Cross-tenant IDOR in `GET /api/sessions/:uid` discloses SSH session data

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. This vulnerability is fixed in 0.24.2.

Published: 2026-05-13

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A missing tenant scoping check in the GET /api/sessions/:uid endpoint allows an authenticated user to read session records that belong to any other namespace. The exposed data includes SSH usernames, device identifiers, IP addresses, terminal types, authentication status, and timestamps. This information can aid attackers in gathering reconnaissance about other tenants’ environment or facilitate further lateral movement. The weakness is an Insecure Direct Object Reference (CWE‑639).

Affected Systems

ShellHub from shellhub‑io is affected. All releases before version 0.24.2 allow this IDOR. The vulnerability was fixed in 0.24.2, so any installation using an earlier version is vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV. The likely exploit requires an attacker to be logged in to the ShellHub instance and to have at least tenant‑level authentication, so the attack surface is limited to authenticated internal users. However, once access is obtained, the disclosure of detailed session information could be leveraged for further attacks or data exfiltration.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

shellhub-io

shellhub

affected

Version	Status	Constraints
`< 0.24.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:shellhub:shellhub:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Shellhub-io

Shellhub

100%

Version	Status	Scheme	Platform
`[0,0.24.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply ShellHub version 0.24.2 or later to close the IDOR flaw
Restrict user permissions so that only authorized tenants can execute GET /api/sessions/:uid by enforcing proper role‑based access controls
Audit and monitor API access logs for suspicious cross‑tenant session reads

Generated by OpenCVE AI on May 13, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-9w9c-9w8m-w89q	ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00033.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q

History

Fri, 15 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Shellhub Shellhub shellhub
CPEs		cpe:2.3:a:shellhub:shellhub::::::::
Vendors & Products		Shellhub Shellhub shellhub

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Shellhub-io Shellhub-io shellhub
Vendors & Products		Shellhub-io Shellhub-io shellhub

Thu, 14 May 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 13 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. This vulnerability is fixed in 0.24.2.
Title		ShellHub: Cross-tenant IDOR in `GET /api/sessions/:uid` discloses SSH session data
Weaknesses		CWE-639
References		https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Shellhub Shellhub

Shellhub-io Shellhub

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-13T21:07:33.174Z

Updated: 2026-05-14T12:50:40.262Z

Reserved: 2026-05-06T14:40:00.953Z

Link: CVE-2026-44423

Vulnrichment

Updated: 2026-05-14T12:47:58.084Z

NVD

Status : Analyzed

Published: 2026-05-13T22:16:44.103

Modified: 2026-05-15T17:16:32.790

Link: CVE-2026-44423

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:33:11Z

Weaknesses

CWE-639

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object