Listen to this Post
How the mentioned CVE works (around 20 lines):
The vulnerability resides in the `GET /api/namespaces/:tenant` endpoint of ShellHub Community v0.24.1. Under normal JWT authentication, the handler extracts user ID from `X-ID` header and verifies that the user is a member of the target namespace before returning sensitive data. However, when an API Key is used for authentication, the `X-ID` header is never set – the `AuthRequest` function only populates X-Tenant-ID, X-Role, and X-API-Key. Consequently, `c.ID()` returns nil, causing `uid` to remain an empty string. The membership check condition `if uid != “”` is therefore skipped entirely. This allows any attacker with a valid API Key (even one scoped to their own tenant) to request any other tenant’s namespace merely by supplying its UUID. The endpoint returns the full namespace object, including member list (user IDs, emails, roles), settings, device counts, owner identity, and more. The root cause is in `api/routes/nsadm.go` lines 75-102, where the membership verification is bypassed when `c.ID()` is nil. Because the API Key authentication flow deliberately omits X-ID, the bypass is unconditional. A live proof of concept confirms that a JWT request to a victim tenant returns HTTP 403, while the same request with an attacker’s API Key returns HTTP 200 with the victim’s complete namespace data. The impact includes user enumeration, email disclosure, and exposure of internal namespace configuration.
dailycve form (3 words max per line):
Platform: ShellHub Community
Version: v0.24.1
Vulnerability: Authorization Bypass
Severity: Critical
date: 2026-05-07
Prediction: 2026-05-21
What Undercode Say:
Enumerate victim namespace using attacker's API key curl -i http://target/api/namespaces/<victim-tenant-uuid> \ -H "X-API-Key: $ATTACKER_KEY" Check for missing X-ID header in auth flow grep -A5 "X-API-Key" api/routes/auth.go Validate membership skip condition awk '/func.GetNamespace/,/^}/' api/routes/nsadm.go | grep -A2 "if uid"
Exploit:
Attacker generates an API Key in their own namespace, then replays that same key against any known tenant UUID to retrieve full namespace objects (members, emails, settings, device counts) without any membership check.
Protection from this CVE:
Apply the suggested two‑layer fix: enforce caller-tenant match before returning namespace (if c.Tenant() != nil && c.Tenant().ID != req.Tenant { return c.NoContent(http.StatusForbidden) }) and never skip membership verification when `uid` is empty – treat API Key callers as requiring tenant scope validation.
Impact:
Full namespace data leakage (member emails, roles, user IDs, session recording settings, device counts, owner identity) for any tenant, enabling targeted phishing, user enumeration, and internal infrastructure mapping.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
