CVE-2026-44423

Name of the Vulnerable Software and Affected Versions ShellHub versions prior to 0.24.2

Description An issue exists where the endpoint "/api/sessions/:uid" returns the full session object to any authenticated caller without restricting the results to the caller's tenant. This allows an authenticated user to access session records from any other namespace, including the SSH username, device UID, remote IP, terminal type, authenticated flag, and timestamps. The flaw is located in the GetSession() function, which resolves the session by UID without applying a tenant filter.

Recommendations Update to version 0.24.2. As a temporary workaround, restrict access to the "/api/sessions/:uid" endpoint to minimize the risk of unauthorized data disclosure.