Description
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.
Published: 2026-05-13
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ShellHub's API endpoint GET /api/devices/:uid returns the full device object whenever a caller is authenticated, but it does not verify that the requested device actually belongs to the caller's namespace. As a result, any authenticated user who knows or can guess a device UID can read device metadata from any other namespace. This user‑controlled disclosure (CWE‑639) allows attackers to obtain sensitive information about devices they should not be able to see. The impact is a breach of confidentiality that can expose operational details and potentially aid further attacks against those devices.

Affected Systems

ShellHub by shellhub‑io, versions prior to 0.24.2. The issue exists in all builds before the 0.24.2 release and is fixed in that version and later releases.

Risk and Exploitability

The CVSS score of 6.5 categorizes this vulnerability as moderate, and the EPSS score is not available, indicating no publicly known exploitation data yet. Since an attacker must be authenticated and must be able to guess or know a device UID, the likelihood of exploitation is limited to situations where an account has broad API access. This vulnerability is not currently listed in CISA's KEV catalog. Exploitation can be achieved by a legitimate user who, intentionally or not, requests a UID belonging to another tenant’s device, leading to cross‑tenant data disclosure.

Generated by OpenCVE AI on May 13, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShellHub to version 0.24.2 or later, where the authorization check has been added to the GET /api/devices/:uid endpoint.
  • If upgrading immediately is not possible, restrict API access to only users that need it, and minimize the scope of API keys or JWTs so that they cannot access device endpoints beyond their own namespace.
  • Implement an internal policy to verify tenant ownership on all endpoints that return sensitive data, ensuring that only authorized users can retrieve device metadata.

Generated by OpenCVE AI on May 13, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-j72x-xfwg-783f ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace
History

Mon, 18 May 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Shellhub
Shellhub shellhub
CPEs cpe:2.3:a:shellhub:shellhub:*:*:*:*:*:*:*:*
Vendors & Products Shellhub
Shellhub shellhub

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Shellhub-io
Shellhub-io shellhub
Vendors & Products Shellhub-io
Shellhub-io shellhub

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.
Title ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Shellhub Shellhub
Shellhub-io Shellhub
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T12:58:51.178Z

Reserved: 2026-05-06T14:40:00.953Z

Link: CVE-2026-44424

cve-icon Vulnrichment

Updated: 2026-05-14T12:58:47.751Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-13T22:16:44.257

Modified: 2026-05-18T13:35:06.663

Link: CVE-2026-44424

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:33:12Z

Weaknesses