CVE-2026-44424 Overview
CVE-2026-44424 is an authorization flaw in ShellHub, a centralized Secure Shell (SSH) gateway used to manage remote device fleets. The vulnerability affects ShellHub versions prior to 0.24.2. The GET /api/devices/:uid endpoint returns the full device object to any authenticated caller without confirming that the device belongs to the caller's namespace (tenant). Any user holding a valid JSON Web Token (JWT) or API Key can read device metadata from other tenants by supplying a known or guessed device Unique Identifier (UID). The issue is tracked as an Insecure Direct Object Reference [CWE-639] and is fixed in ShellHub 0.24.2.
Critical Impact
Authenticated tenants can retrieve device metadata belonging to other tenants, breaking the multi-tenant isolation model of ShellHub deployments.
Affected Products
- ShellHub versions prior to 0.24.2
- Self-hosted ShellHub SSH gateway deployments
- Multi-tenant ShellHub instances exposing the device API
Discovery Timeline
- 2026-05-13 - CVE-2026-44424 published to the National Vulnerability Database (NVD)
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44424
Vulnerability Analysis
ShellHub organizes resources into namespaces that represent tenant boundaries. Devices, sessions, and credentials are scoped to a namespace, and API consumers authenticate using either a JWT or an API Key tied to a specific tenant. The expectation is that requests for tenant-owned resources are validated against the caller's namespace before data is returned.
The GET /api/devices/:uid route violates this expectation. The handler authenticates the caller but then loads the device record using only the uid path parameter. It does not compare the device's owning namespace to the caller's namespace claim. The full device object, including hostname, tags, and connection metadata, is serialized in the response body.
The condition maps to Authorization Bypass through User-Controlled Key [CWE-639]. Confidentiality of device records is impacted, while integrity and availability are unaffected. Exploitation requires a valid account on the target ShellHub instance and knowledge or guessing of a target device UID.
Root Cause
The handler enforces authentication but omits the namespace-scoped authorization check that other tenant-aware endpoints perform. The device lookup uses the supplied UID as the sole selection key, allowing cross-tenant reads.
Attack Vector
An attacker registers or already controls an account on a shared ShellHub instance. The attacker then issues an authenticated HTTP GET request to /api/devices/:uid for a UID associated with a different tenant. The server returns the device record without rejecting the request. UIDs can be obtained from logs, exposed inventories, partner integrations, or guessing where UID entropy is weak.
The vulnerability is described in the ShellHub GitHub Security Advisory GHSA-j72x-xfwg-783f. No verified proof-of-concept code is published with this advisory.
Detection Methods for CVE-2026-44424
Indicators of Compromise
- Authenticated GET /api/devices/:uid requests where the requested uid does not belong to the caller's namespace
- Single accounts or API Keys enumerating large numbers of distinct device UIDs in short windows
- Requests originating from API Keys outside their expected source IP ranges or usage patterns
Detection Strategies
- Parse ShellHub API access logs and join request uid values against the namespace ownership table to flag cross-tenant reads
- Alert on bursts of /api/devices/ requests from a single principal that exceed baseline rates
- Correlate API Key usage with the tenant that owns each accessed device UID to identify boundary violations
Monitoring Recommendations
- Forward ShellHub reverse-proxy and application logs to a centralized analytics platform with tenant context preserved
- Track per-account and per-API-Key request counts to the device API and alert on deviations
- Review JWT issuance and API Key creation events for accounts that subsequently query devices outside their namespace
How to Mitigate CVE-2026-44424
Immediate Actions Required
- Upgrade all ShellHub server instances to version 0.24.2 or later
- Rotate API Keys and force re-authentication for accounts on multi-tenant instances after patching
- Audit device API logs since deployment to identify cross-tenant access attempts
- Restrict ShellHub administrative APIs to trusted networks where feasible
Patch Information
The maintainers fixed CVE-2026-44424 in ShellHub 0.24.2 by enforcing namespace ownership checks on the GET /api/devices/:uid handler. Operators should follow the upgrade guidance in the ShellHub GitHub Security Advisory GHSA-j72x-xfwg-783f and redeploy affected containers.
Workarounds
- Restrict access to the ShellHub API to vetted accounts until the upgrade is applied
- Place a reverse proxy or API gateway in front of ShellHub to enforce per-tenant authorization on /api/devices/:uid
- Disable shared multi-tenant deployments and isolate tenants into separate ShellHub instances if patching is delayed
# Upgrade ShellHub to the patched release
docker compose pull
docker compose up -d
# Verify the running ShellHub version is 0.24.2 or later
curl -s https://<shellhub-host>/info | jq '.version'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
