CVE-2026-44425 shellhub-io CVE debrief

Who should care

Organizations running ShellHub versions prior to 0.24.2 as a centralized SSH gateway, particularly those with multi-tenant deployments or external-facing API endpoints. Security teams responsible for API security, input validation, and NoSQL/SQL injection defenses should prioritize this remediation.

Technical summary

The ShellHub device list endpoint fails to validate user-supplied field names in filter and sort parameters before using them as database keys. An authenticated attacker can inject malformed or unexpected keys into MongoDB aggregation pipelines or SQL queries, causing unhandled exceptions that return HTTP 500 errors. This represents a denial-of-service condition for API availability and may indicate underlying injection risks in the data access layer. The absence of rate limiting amplifies the practical impact.

Defensive priority

medium

Recommended defensive actions

• Upgrade ShellHub to version 0.24.2 or later to remediate this vulnerability.
• Review application logs for HTTP 500 errors on the device list endpoint that may indicate exploitation attempts.
• Implement additional input validation at the application layer for query parameters before database interaction.
• Consider implementing rate limiting on API endpoints to reduce the impact of automated exploitation attempts.
• Monitor for anomalous query patterns in database logs that may indicate probing for this vulnerability.

Evidence notes

Vulnerability confirmed through vendor security advisory and NVD analysis. CWE-20 (Improper Input Validation), CWE-943 (Improper Neutralization of Special Elements in Data Query Logic), and CWE-1333 (Inefficient Regular Expression Complexity) identified as applicable weaknesses.

Official resources