CVE-2026-44423: ShellHub has cross-tenant IDOR in `GET /api/sessions/:uid` that discloses SSH session data

May 6, 2026

GET /api/sessions/:uid returns the full session object for any authenticated caller, without scoping by the caller’s tenant. An authenticated user can read session records (SSH username, device UID, remote IP, terminal type, authenticated flag, timestamps) belonging to any other namespace.

References

github.com/advisories/GHSA-9w9c-9w8m-w89q
github.com/shellhub-io/shellhub
github.com/shellhub-io/shellhub/security/advisories/GHSA-9w9c-9w8m-w89q
nvd.nist.gov/vuln/detail/CVE-2026-44423

Code Behaviors & Features

Detect and mitigate CVE-2026-44423 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →