CVE-2026-44424: ShellHub has cross-tenant IDOR in `GET /api/devices/:uid` that discloses device data of any namespace

May 6, 2026

GET /api/devices/:uid returns the full device object whenever the caller is authenticated, without verifying that the device belongs to the caller’s namespace (tenant). Any authenticated user (JWT or API Key) who knows or can guess a device UID can read device metadata from any other namespace.

References

github.com/advisories/GHSA-j72x-xfwg-783f
github.com/shellhub-io/shellhub
github.com/shellhub-io/shellhub/security/advisories/GHSA-j72x-xfwg-783f
nvd.nist.gov/vuln/detail/CVE-2026-44424

Code Behaviors & Features

Detect and mitigate CVE-2026-44424 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →