Skip to content

shellhub

Server & OS Management

Centralized SSH gateway for remotely accessing and managing Linux servers and devices from anywhere via web browser or mobile app

Track releases GitHub Website
Go Latest v0.24.2 · 1mo ago Security brief →

Features

  • Native SSH support with standard tools (OpenSSH, PuTTY)
  • SCP/SFTP file transfer using industry‑standard clients
  • SSH port forwarding for secure TCP traffic routing
  • Public‑key authentication for multi‑user access without shared passwords
  • Fine‑grained firewall rules to control inbound SSH connections
  • Audit logging and session recording for compliance and monitoring

Security Response History

1 CVE
CVE Severity Disclosed Patched (this tool) vs Ecosystem Median
CVE-2023-44487 KEV medium
CVSS 7.5
 2023-10-10 2026-01-02 2y 3mo / median 2y 3mo

Recent releases

View all 9 releases →
v0.24.2 Breaking risk
Notable features
  • Add team invitations
  • Add Containers page and components
  • Implement announcements admin panel
Full changelog

What's Changed

  • chore(deps): bump go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp from 1.41.0 to 1.43.0 in /tests by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6146
  • feat(ui-react): implement announcements admin panel by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6133
  • feat(ui-react): add admin sessions list and detail pages by @luannmoreira in https://github.com/shellhub-io/shellhub/pull/6107
  • ci: remove private registry dependency from CI workflows by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6150
  • fix(infra): ensure postgres container restarts after host reboot by @geovannewashington in https://github.com/shellhub-io/shellhub/pull/6152
  • refactor(ui-react): unify main and admin sidebar behavior by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6151
  • chore(deps): bump axios from 1.13.6 to 1.15.0 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6157
  • ui: bump axios from 1.14.0 to 1.15.0 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6156
  • fix(cli): ensure first user created via CLI is admin by @geovannewashington in https://github.com/shellhub-io/shellhub/pull/6155
  • fix(gateway): raise WebSocket timeouts and enable TCP keepalive by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6158
  • chore(ci): remove verify-fix workflow by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6161
  • feat(agent): default transport to yamux (v2) by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6163
  • fix(ui-react): fix sidebar behavior when terminal is open by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6166
  • refactor(ui-react): add reusable DataTable component by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6164
  • refactor(api): remove RSA signature gate from initial setup flow by @geovannewashington in https://github.com/shellhub-io/shellhub/pull/6162
  • fix(ui-react): fix License page upload input on Chromium by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6189
  • docker: api: bump golang from 1.25.8-alpine3.22 to 1.25.9-alpine3.22 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6186
  • docker: cli: bump golang from 1.25.8-alpine3.22 to 1.25.9-alpine3.22 in /cli by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6185
  • docker: agent: bump golang from 1.25.8-alpine3.22 to 1.25.9-alpine3.22 in /agent by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6184
  • docker: ssh: bump golang from 1.25.8-alpine3.22 to 1.25.9-alpine3.22 in /ssh by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6183
  • docker: gateway: bump golang from 1.25.8-alpine3.22 to 1.25.9-alpine3.22 in /gateway by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6182
  • docker: ui: bump nginx from 1.29.7-alpine to 1.29.8-alpine in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6181
  • ui: bump typescript-eslint from 8.58.0 to 8.58.2 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6180
  • refactor(ui-react): split useCopy hook into its own file by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6167
  • chore: update gliderlabs/ssh fork to fix golang.org/x/crypto v0.50.0 compatibility by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6193
  • ui: bump eslint-plugin-jest from 29.15.1 to 29.15.2 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6171
  • ssh: bump golang.org/x/net from 0.52.0 to 0.53.0 in /ssh by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6170
  • api: bump github.com/getkin/kin-openapi from 0.134.0 to 0.135.0 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6177
  • api: bump golang.org/x/crypto from 0.49.0 to 0.50.0 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6178
  • ui: bump follow-redirects from 1.15.11 to 1.16.0 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6192
  • agent: bump github.com/mattn/go-shellwords from 1.0.12 to 1.0.13 in /agent by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6172
  • api: bump github.com/testcontainers/testcontainers-go/modules/postgres from 0.41.0 to 0.42.0 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6179
  • api: bump github.com/getsentry/sentry-go from 0.44.1 to 0.45.1 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6175
  • chore(deps): bump actions/github-script from 8 to 9 by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6188
  • chore(deps): bump softprops/action-gh-release from 2 to 3 by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6187
  • fix(ui-react): clear query cache on logout to drop stale user data by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6194
  • fix(ui-react): surface swallowed errors in ConfirmDialog delete flows by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6168
  • chore(deps): migrate dependabot from ui to ui-react by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6198
  • feat(cli): add type column to namespace list output by @geovannewashington in https://github.com/shellhub-io/shellhub/pull/6197
  • docker: ui-react: bump node from 24.13.0-alpine3.22 to 24.15.0-alpine3.22 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6207
  • ui-react: bump @types/node from 25.5.0 to 25.6.0 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6209
  • ui-react: bump @hey-api/openapi-ts from 0.94.3 to 0.94.5 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6210
  • ui-react: bump typescript-eslint from 8.57.0 to 8.58.2 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6211
  • ui-react: bump vitest from 4.1.0 to 4.1.4 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6208
  • ssh: bump github.com/pires/go-proxyproto from 0.11.0 to 0.12.0 in /ssh by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6206
  • ui-react: bump @tiptap/markdown from 3.22.2 to 3.22.3 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6205
  • api: bump github.com/testcontainers/testcontainers-go/modules/mongodb from 0.41.0 to 0.42.0 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6204
  • docker: ssh: bump alpine from 3.23.3 to 3.23.4 in /ssh by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6203
  • docker: gateway: bump alpine from 3.23.3 to 3.23.4 in /gateway by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6200
  • docker: api: bump alpine from 3.23.3 to 3.23.4 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6202
  • docker: ui-react: bump nginx from 1.29.4-alpine to 1.29.8-alpine in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6201
  • docker: cli: bump alpine from 3.23.3 to 3.23.4 in /cli by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6199
  • chore(ui-react): remove deprecated baseUrl from ui-react's tsconfig.json by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6212
  • refactor(ui-react): use @ import alias by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6213
  • fix(openapi): align tag name pattern with backend validation by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6216
  • ui-react: bump postcss from 8.5.8 to 8.5.10 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6225
  • ui-react: bump axios from 1.15.0 to 1.15.1 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6224
  • ui-react: bump @tiptap/react from 3.22.2 to 3.22.4 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6221
  • ui-react: bump autoprefixer from 10.4.27 to 10.5.0 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6223
  • chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6220
  • api: bump github.com/labstack/gommon from 0.4.2 to 0.5.0 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6219
  • api: bump github.com/jackc/pgx/v5 from 5.9.1 to 5.9.2 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6217
  • fix(api): expose internal namespace lookup for SSH service by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6228
  • fix(api): let admin panel through RequiresTenant guard by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6229
  • feat(ui-react): add Containers page and components by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6214
  • feat(ui-react): add team invitations feature by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6191
  • ui-react: bump typescript-eslint from 8.58.2 to 8.59.0 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6222
  • fix(ui-react): fix lint error in ContainerTagsPopover test by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6231
  • api: bump github.com/moby/moby/api from 1.54.1 to 1.54.2 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6218
  • docs(api): remove status field from namespace member schema by @geovannewashington in https://github.com/shellhub-io/shellhub/pull/6230
  • feat(ui): add SAML SSO login and admin authentication settings by @luannmoreira in https://github.com/shellhub-io/shellhub/pull/6196
  • test: optimize healthchecks and force image rebuild by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6234
  • fix(ui-react): make sidebar pinned by default on larger screens by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6235
  • agent: bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 in /agent by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6238
  • chore(deps): bump go.opentelemetry.io/otel from 1.40.0 to 1.41.0 by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6237
  • chore(deps): bump postcss from 8.4.49 to 8.5.10 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6239
  • fix(ui-react): fix sidebar height and content overflow in layouts by @luannmoreira in https://github.com/shellhub-io/shellhub/pull/6233
  • ui-react: bump vitest from 4.1.4 to 4.1.5 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6247
  • ui-react: bump @tiptap/extension-link from 3.22.2 to 3.22.4 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6245
  • ui-react: bump @tanstack/react-query-devtools from 5.91.3 to 5.100.5 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6246
  • ui-react: bump react-router-dom from 7.13.1 to 7.14.2 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6243
  • fix(ci): update claude-code-action to v1 by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6252
  • feat(ui-react): wire firewall-rules and web-endpoints into the console by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6253
  • fix(ui): restore sidebar pin and hover behavior by @luannmoreira in https://github.com/shellhub-io/shellhub/pull/6251
  • ui-react: bump @tiptap/markdown from 3.22.3 to 3.22.5 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6244
  • api: bump github.com/getsentry/sentry-go from 0.45.1 to 0.46.0 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6242
  • refactor(cli): replace bind() with explicit field assignment by @geovannewashington in https://github.com/shellhub-io/shellhub/pull/6254
  • ui-react: bump postcss from 8.5.10 to 8.5.12 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6257
  • ui-react: bump globals from 17.4.0 to 17.5.0 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6260
  • ui-react: bump eslint from 10.0.3 to 10.2.1 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6259
  • ui-react: bump zustand from 5.0.11 to 5.0.12 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6258
  • api: bump github.com/getsentry/sentry-go from 0.46.0 to 0.46.1 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6256
  • ui-react: bump @tanstack/react-query-devtools from 5.100.5 to 5.100.6 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6255
  • chore: bump shellhub version to v0.24.2 by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6261
  • fix(ci): generate release notes from docker-publish draft by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6263

Full Changelog: https://github.com/shellhub-io/shellhub/compare/v0.24.1...v0.24.2

View release on GitHub
v0.21.7 Security relevant
Security fixes
  • GHSA-vwx9-7qcf-gg7f - cross-tenant IDOR on namespace endpoints
  • GHSA-j72x-xfwg-783f - cross-tenant device metadata disclosure
  • GHSA-9w9c-9w8m-w89q - cross-tenant SSH session data disclosure
Full changelog

Security

Fixes four cross-tenant and input-validation advisories:

  • GHSA-vwx9-7qcf-gg7f — cross-tenant IDOR on namespace endpoints reachable via API Key and JWT callers, allowing a caller to read, edit, delete or toggle session recording of a namespace they are not scoped to, and to enumerate namespaces across tenants on the list endpoint. (initially fixed in v0.21.6)
  • GHSA-j72x-xfwg-783fGET /api/devices/:uid returned the full device object for any authenticated caller, allowing cross-tenant disclosure of device metadata (hostname, MAC, OS, public key, remote address, last-seen).
  • GHSA-9w9c-9w8m-w89qGET /api/sessions/:uid returned the full session object for any authenticated caller, allowing cross-tenant disclosure of SSH session data (username, device UID, remote IP, authentication state, timestamps).
  • GHSA-47r2-v3x6-wff9 — filter and sort query parameters on the device list accepted attacker-controlled identifiers as BSON keys, enabling HTTP 500 crash-DoS and blind regex extraction via $regex values.

Full Changelog: https://github.com/shellhub-io/shellhub/compare/v0.21.6...v0.21.7

View release on GitHub
v0.21.6 Security relevant
Security fixes
  • GHSA-vwx9-7qcf-gg7f - cross-tenant IDOR on namespace endpoints allowing unauthorized read, edit, delete operations
Full changelog

Security

Fixes GHSA-vwx9-7qcf-gg7f — cross-tenant IDOR on namespace endpoints reachable via API Key and JWT callers, allowing a caller to read, edit, delete or toggle session recording of a namespace they are not scoped to, and to enumerate namespaces across tenants on the list endpoint. Reported by @Edu0x01.

What's Changed

  • fix(api): prevent cross-tenant access via API Key and JWT by @gustavosbarreto

Full Changelog: https://github.com/shellhub-io/shellhub/compare/v0.21.5...v0.21.6

View release on GitHub
v0.24.1 New feature
Notable features
  • Admin user management pages
  • Admin device list and detail pages
  • Admin firewall rules list and detail pages
Full changelog

What's Changed

  • feat(ui-react): add admin user management pages by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6086
  • feat(ui): add admin namespace management by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6105
  • feat(ui-react): handle token query param on Login page for admin login-as-user by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6110
  • fix(ui-react): fix connection announcement overflow in admin namespace details by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6109
  • feat(ui-react): add admin device list and detail pages by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6113
  • ui: bump defu from 6.1.4 to 6.1.6 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6115
  • ui: bump lodash from 4.17.23 to 4.18.1 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6111
  • fix(ci): temporarily pin claude-code-action to 1.0.88 by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6125
  • feat(ui-react): add admin firewall rules list and detail pages by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6116
  • ci: add SBOM generation to release workflows by @otavio in https://github.com/shellhub-io/shellhub/pull/6112
  • fix(ui-react): resolve prettier and eslint formatting conflicts by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6126
  • ui: bump turndown from 7.2.2 to 7.2.4 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6122
  • ui: bump vuetify from 3.12.3 to 3.12.5 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6121
  • ui: bump sass from 1.98.0 to 1.99.0 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6120
  • api: bump github.com/lib/pq from 1.12.1 to 1.12.3 in /api by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6119
  • ui: bump @vue/runtime-dom from 3.5.31 to 3.5.32 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6118
  • chore(deps-dev): bump vite from 7.3.1 to 7.3.2 in /ui-react by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6117
  • ui: bump qrcode.vue from 3.8.0 to 3.8.1 in /ui by @dependabot[bot] in https://github.com/shellhub-io/shellhub/pull/6123
  • fix(api): add id tiebreaker to paginated queries by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6127
  • fix(ui-react): use server-side filtering for device search by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6129
  • fix(ui-react): use plain strings for public key filter tags by @luannmoreira in https://github.com/shellhub-io/shellhub/pull/6128
  • fix(api): qualify column names in device queries with JOINs by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6130
  • fix(api): place AND operator before connector filter in device list by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6131
  • fix(api): compute device online status in session queries by @luizhf42 in https://github.com/shellhub-io/shellhub/pull/6137
  • fix(store): add missing "lt" operator to PG filter parser by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6140
  • feat(cli): add namespace enumeration capabilites by @geovannewashington in https://github.com/shellhub-io/shellhub/pull/6132
  • chore: bump shellhub version to v0.24.1 by @gustavosbarreto in https://github.com/shellhub-io/shellhub/pull/6141

Full Changelog: https://github.com/shellhub-io/shellhub/compare/v0.24.0...v0.24.1

View release on GitHub
v0.24.0 Breaking
Breaking changes
  • MongoDB support completely removed
  • PostgreSQL is now required
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
2,017
Forks
183
Languages
Go TypeScript Shell
View on GitHub Homepage Documentation

Install & Platforms

Platforms
linux

Community & Support

Community

Similar tools

Nexterm
DietPi
MeshCentral
server
LinuxGSM

Beta — feedback welcome: [email protected]