CVE-2026-44426: ShellHub Information Disclosure Flaw

CVE-2026-44426 Overview

CVE-2026-44426 affects ShellHub, a centralized Secure Shell (SSH) gateway used to manage remote device fleets. Versions prior to 0.24.2 expose the GET /api/namespaces/:tenant endpoint to cross-tenant information disclosure. Any caller authenticated with an API Key can retrieve the full namespace object for any tenant, regardless of the API Key's own tenant scope. The returned data includes the members list with user IDs, e-mail addresses, roles, namespace settings, and device counts. The flaw stems from a missing authorization check, classified as [CWE-639] Authorization Bypass Through User-Controlled Key. ShellHub maintainers fixed the issue in version 0.24.2.

Critical Impact

Authenticated API Key holders can enumerate members, roles, and device counts across every tenant in a ShellHub deployment, enabling reconnaissance for follow-on attacks.

Affected Products

• ShellHub versions prior to 0.24.2
• ShellHub centralized SSH gateway deployments using API Key authentication
• Multi-tenant ShellHub installations exposing the /api/namespaces/:tenant endpoint

Discovery Timeline

• 2026-05-13 - CVE-2026-44426 published to the National Vulnerability Database (NVD)
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-44426

Vulnerability Analysis

The vulnerability resides in the ShellHub API handler that serves GET /api/namespaces/:tenant. The handler is responsible for returning namespace metadata to authorized callers. ShellHub supports two authentication modes: user session authentication, which includes an X-ID header carrying the authenticated user identifier, and API Key authentication, which does not include X-ID. The handler conditionally skips the namespace membership check when X-ID is absent. API Key callers therefore bypass the membership verification entirely.

The response payload includes the full namespace object: the members list with user IDs, e-mail addresses, and role assignments, namespace configuration settings, and aggregate device counts. An attacker holding any valid API Key can iterate tenant identifiers and harvest membership data across the deployment. The disclosed information supports targeted phishing, role-based privilege mapping, and broader lateral movement planning.

Root Cause

The root cause is a conditional authorization branch that treats the absence of X-ID as a reason to skip the membership check rather than as a signal to apply API Key tenant scoping. The API Key's bound tenant is not compared against the :tenant path parameter before the namespace object is returned. This matches the [CWE-639] pattern where a user-controlled identifier in the request path drives access to a resource without server-side authorization.

Attack Vector

The attack is performed over the network by an authenticated caller. The attacker needs only a valid ShellHub API Key for any tenant in the deployment. The attacker issues authenticated GET requests to /api/namespaces/:tenant, substituting target tenant identifiers in the path. The server returns the full namespace object for each requested tenant. No user interaction is required, and the attack does not modify data or affect availability.

No verified exploit code is publicly available. See the GitHub Security Advisory GHSA-vwx9-7qcf-gg7f for the maintainer's technical description.

Detection Methods for CVE-2026-44426

Indicators of Compromise

• API access logs showing requests to /api/namespaces/:tenant authenticated with an API Key targeting tenant identifiers that do not match the key's bound tenant.
• High-volume or sequential enumeration of distinct :tenant path values from a single API Key within a short interval.
• Successful 200 OK responses to namespace lookups originating from IP addresses or service accounts that historically only accessed device endpoints.

Detection Strategies

• Parse ShellHub API access logs and compare the :tenant path parameter against the tenant scope recorded for each API Key. Alert on any mismatch.
• Build a baseline of API Key request patterns and flag deviations such as access to namespace endpoints from keys that previously only used device or SSH endpoints.
• Correlate API Key usage with downstream account activity, including new device registrations or role changes, to identify reconnaissance that precedes privilege abuse.

Monitoring Recommendations

• Enable verbose request logging on the ShellHub API gateway and forward logs to a central analytics platform for retention and search.
• Monitor for spikes in unique tenant identifiers queried per API Key per hour.
• Track API Key creation, rotation, and last-used timestamps to identify dormant keys that suddenly issue namespace queries.

How to Mitigate CVE-2026-44426

Immediate Actions Required

• Upgrade ShellHub to version 0.24.2 or later on all self-hosted instances.
• Audit existing API Keys, revoke unused keys, and rotate keys whose usage patterns indicate possible enumeration of /api/namespaces/:tenant.
• Review namespace membership and notify affected users if logs show cross-tenant namespace reads prior to the upgrade.

Patch Information

ShellHub maintainers released the fix in version 0.24.2. The patch enforces the membership and tenant-scope check for API Key callers on GET /api/namespaces/:tenant. Full details are available in the GitHub Security Advisory GHSA-vwx9-7qcf-gg7f.

Workarounds

• Restrict access to the ShellHub API to trusted networks using a reverse proxy or firewall until the upgrade is complete.
• Disable or scope API Key issuance to the minimum number of service accounts, and avoid sharing keys across tenants.
• Apply a reverse-proxy rule that rejects requests to /api/namespaces/:tenant when the authenticated API Key's tenant claim does not match the path parameter.

# Example: upgrade a Docker Compose ShellHub deployment to 0.24.2
export SHELLHUB_VERSION=0.24.2
docker compose pull
docker compose up -d

# Verify the running version
docker compose exec api /bin/sh -c 'echo $SHELLHUB_VERSION'