CVE-2026-44426 PUBLISHED

ShellHub: Cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check

Assigner: GitHub_M
Reserved: 06.05.2026 Published: 13.05.2026 Updated: 13.05.2026

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope. The handler conditionally skips the membership check when the user ID (X-ID) is absent, which is exactly the case for API Key authentication. This vulnerability is fixed in 0.24.2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	shellhub-io
Product	shellhub
Versions	Version < 0.24.2 is affected

References

https://github.com/shellhub-io/shellhub/security/advisories/GHSA-vwx9-7qcf-gg7f

Problem Types

CWE-639: Authorization Bypass Through User-Controlled Key CWE