ShellHub API Key Authentication Bypass Vulnerability in Namespace Endpoint

A vulnerability exists in ShellHub, a centralized SSH gateway, in versions prior to 0.24.2. The issue arises in the `GET /api/namespaces/:tenant` endpoint, where the full namespace object is returned to any caller authenticated by an API Key, regardless of the API Key's tenant scope. This response includes sensitive information such as the members list (user IDs, emails, roles), settings, and device counts. The vulnerability occurs because the membership check is skipped for API Key authentication, allowing cross-tenant data access.

Impact

Exploitation of this vulnerability allows for unauthorized access to namespace data across tenants, including member details and namespace settings. This could lead to user enumeration and targeted phishing attacks.

Reproduction

To reproduce this vulnerability, authenticate with an API Key and make a request to the `GET /api/namespaces/:tenant` endpoint. The response will include the full namespace object for the specified tenant, bypassing the membership check.

Remediation

Users are advised to update to ShellHub version 0.24.2 or later, where this vulnerability has been fixed.