CVE-2026-44423 Overview
CVE-2026-44423 is an authorization flaw in ShellHub, a centralized Secure Shell (SSH) gateway used to manage remote device access. Versions prior to 0.24.2 fail to enforce tenant scoping on the GET /api/sessions/:uid endpoint. Any authenticated user can retrieve session records belonging to other namespaces, exposing sensitive operational metadata across tenant boundaries. The disclosed data includes SSH usernames, device unique identifiers (UIDs), remote IP addresses, terminal types, authentication status, and timestamps. The issue maps to [CWE-639] (Authorization Bypass Through User-Controlled Key) and is fixed in ShellHub 0.24.2.
Critical Impact
Authenticated users in any tenant can enumerate SSH session metadata across the entire ShellHub deployment, breaking multi-tenant isolation guarantees.
Affected Products
- ShellHub versions prior to 0.24.2
- Self-hosted ShellHub SSH gateway deployments
- Multi-tenant ShellHub installations using namespace isolation
Discovery Timeline
- 2026-05-13 - CVE-2026-44423 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44423
Vulnerability Analysis
ShellHub organizes resources by tenant using namespaces, so users in one namespace should not access data belonging to another. The GET /api/sessions/:uid endpoint breaks this model. It accepts a session UID supplied by the caller and returns the full session object without validating that the session belongs to the caller's tenant.
An attacker with any valid ShellHub account can iterate or guess session UIDs and read records from unrelated namespaces. The exposed fields include the SSH username used to connect, the device UID, the remote IP address of the operator, the terminal type, the authenticated flag, and connection timestamps. This information supports reconnaissance against other tenants, including identification of active administrators, device inventories, and source networks.
The flaw is purely a confidentiality issue. The CVSS vector indicates no integrity or availability impact, and exploitation requires only low-privileged authenticated access over the network.
Root Cause
The session lookup handler resolves the requested session by UID and returns it directly. It omits the tenant or namespace check that other ShellHub endpoints apply, classifying the bug as a Broken Object Level Authorization issue under [CWE-639]. The session UID functions as a user-controlled key that is trusted without an ownership check.
Attack Vector
Exploitation requires an authenticated ShellHub account and network access to the API. The attacker issues an HTTP GET request to /api/sessions/:uid with a session UID. Valid UIDs return the full session payload regardless of which namespace owns the session. No special privileges, user interaction, or chained vulnerabilities are required. See the GitHub Security Advisory GHSA-9w9c-9w8m-w89q for the maintainer's description of the affected route.
Detection Methods for CVE-2026-44423
Indicators of Compromise
- Repeated GET /api/sessions/:uid requests from a single authenticated user across many distinct session UIDs.
- API access patterns where the requesting user's tenant does not match the tenant of the returned session record.
- Enumeration sequences against the sessions endpoint that lack corresponding interactive SSH activity from the same account.
Detection Strategies
- Inspect ShellHub API access logs and correlate the calling user's namespace with the namespace of the returned session UID.
- Alert on accounts that query session UIDs they did not create or participate in.
- Baseline normal volumes of /api/sessions/:uid lookups per user and flag statistical outliers.
Monitoring Recommendations
- Forward ShellHub API gateway logs to a centralized log analytics platform for cross-tenant query analysis.
- Track authentication events alongside session retrieval calls to detect low-interaction reconnaissance accounts.
- Review audit logs after upgrade to identify historical cross-namespace lookups that occurred before remediation.
How to Mitigate CVE-2026-44423
Immediate Actions Required
- Upgrade ShellHub to version 0.24.2 or later, which enforces tenant scoping on the session lookup endpoint.
- Rotate any credentials or device identifiers that may have been exposed through session metadata to untrusted tenants.
- Audit existing accounts and remove inactive or unnecessary users with API access to limit the authenticated attack surface.
Patch Information
The vulnerability is fixed in ShellHub 0.24.2. The patch adds namespace ownership validation to the GET /api/sessions/:uid handler so that requests for sessions outside the caller's tenant are rejected. Refer to the ShellHub GitHub Security Advisory for the authoritative fix reference.
Workarounds
- Restrict ShellHub API access to trusted networks using firewall or reverse proxy rules until the upgrade is applied.
- Disable or limit creation of new low-privilege user accounts in multi-tenant deployments to reduce the pool of authenticated callers.
- Place an API gateway in front of ShellHub that strips or rejects direct /api/sessions/:uid calls until patching is complete.
# Configuration example: block direct access to the vulnerable endpoint at an Nginx reverse proxy until upgrade
location ~ ^/api/sessions/[^/]+$ {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
