CVE-2026-44424

Name of the Vulnerable Software and Affected Versions ShellHub versions prior to 0.24.2

Description An issue exists where the endpoint "/api/devices/:uid" returns the full device object to any authenticated user without verifying if the device belongs to the caller's namespace (tenant). An authenticated user possessing a JWT or API Key who knows or can guess a device uid can read device metadata from other namespaces. This leads to cross-tenant disclosure of information such as hostnames, MAC addresses, OS fingerprints, public SSH keys, namespace names, last-seen timestamps, and remote addresses, which can be used for namespace enumeration and device inventory reconnaissance.

Recommendations Update to version 0.24.2.