CVE-2026-44426

Name of the Vulnerable Software and Affected Versions ShellHub versions prior to 0.24.2

Description An issue exists where the endpoint "/api/namespaces/:tenant" returns the complete namespace object to any caller authenticated via an API Key, regardless of the API Key's tenant scope. This object includes sensitive information such as the members list (user IDs, e-mails, and roles), settings, and device counts. The problem occurs because the handler skips the membership check when the user ID variable X-ID is absent, which is the standard behavior for API Key authentication. This allows for the enumeration of any namespace by tenant UUID and the disclosure of member details and namespace configurations.

Recommendations Update to version 0.24.2.