ShellHub's GET /api/namespaces/:tenant endpoint can return all information about a namespace, including member lists, settings, and device counts, to any caller authenticated solely with an API key. The handler skips the membership check when the X-ID header is missing, which occurs for API key authentication, allowing an attacker to access data for tenants they belong to no longer or never belong to. This can lead to the disclosure of user identities, contact information and administrative roles. Based on the description, it is inferred that the disclosed information could facilitate social engineering or privilege escalation. The flaw is a classic Insecure Direct Object Reference (CWE-639).

ShellHub, the centralized SSH gateway, is vulnerable in all releases prior to 0.24.2. The issue affects any deployment where API keys are in use and the tenant check is bypassed. Vendors only release fixes in ShellHub 0.24.2 and later.

The CVSS score of 6.5 indicates a moderate severity vulnerability. The attack vector is not explicitly stated in the CVE, but can be inferred as network-based because the vulnerability involves an API call. An attacker with a valid API key can directly request another tenant's namespace and retrieve sensitive data. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting no known public exploits. The most reliable mitigation is to upgrade the software; a temporary measure is to enforce tenant membership validation before exposing namespace data.