CVE-2026-44426 MEDIUM

CVE-2026-44426: ShellHub: Cross-tenant IDOR in `GET /api/namespaces/:tenant` via API Key bypasses membership check

Vendor Shellhub-Io
Product shellhub
Weakness CWE-639 · IDOR
Published May 13, 2026
Last update May 14, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope. The handler conditionally skips the membership check when the user ID (X-ID) is absent, which is exactly the case for API Key authentication. This vulnerability is fixed in 0.24.2.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 14, 2026 Record updated