CVE-2026-44424
Last modified
CVE-2026-44424 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). EPSS estimates a 0.25% chance of exploitation in the next 30 days.
Description
ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Shellhub | Shellhub | < 0.24.2 |
References
- https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783fExploit, Mitigation, Vendor Advisory
- https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783fExploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-44424?
How severe is CVE-2026-44424?
How do I fix CVE-2026-44424?
Are you affected by CVE-2026-44424?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST