CVE-2026-44424

6.5 MEDIUM

ShellHub is a centralized SSH gateway

Published: 2026-05-13 · Last updated: 2026-05-18

Severity and scoring

CVSS: 6.5 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-639

Affected products

Vendor	Product
shellhub	shellhub

Description

ShellHub is a centralized SSH gateway. Prior to 0.24.2, GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace. This vulnerability is fixed in 0.24.2.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-44424
[Vendor advisory]https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f
[Vendor advisory]https://github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f

Related CVEs

Same vendor

CVE-2026-44425 — ShellHub is a centralized SSH gateway (5.4 MEDIUM)

Same CWE

CVE-2026-44692 — Sharp is a content management framework built for Laravel as a package (7.7 HIGH)
CVE-2026-46558 — Plane is an open-source project management tool (8.3 HIGH)
CVE-2026-53471 — A flaw was found in migration-planner (9.6 CRITICAL)
CVE-2026-53470 — A flaw was found in migration-planner (9.6 CRITICAL)
CVE-2026-45563 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (4.3 MEDIUM)