Description
Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin token can craft a user-token payload with admin: true, sign it using HMAC-SHA256, and present it to admin-only coordinator routes to gain full coordinator admin access including lease visibility, pool state management, and forced release operations.
Published: 2026-05-11
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crabbox versions earlier than 0.9.0 contain an authentication bypass flaw. The verifyUserToken() function mistakenly accepts user‑token payloads that include an admin claim. An attacker can manipulate the token payload, set admin:true, sign it with HMAC‑SHA256, and use it to access coordinator routes that are otherwise restricted to administrator accounts. The result is full admin privileges over the coordinator, allowing the attacker to view leases, manage pool state, and force resource releases, thereby compromising confidentiality, integrity, and availability of the service.

Affected Systems

The vulnerability affects the openclaw:crabbox product, specifically all releases prior to version 0.9.0. Users running versions older than 0.9.0 are susceptible; the 0.9.0 release and newer contain the fix.

Risk and Exploitability

The flaw carries a CVSS score of 7.7, indicating high severity. EPSS information is not available, and the issue is not listed in the CISA KEV catalog, yet the ability to elevate privileges from a regular user to a coordinator admin makes the risk credible. No specific exploit has been reported, but the attack requires an attacker to craft a valid HMAC‑SHA256 signed token containing an admin claim; if the attacker can obtain the signing secret or can re‑use a valid non‑admin token, the bypass can be executed remotely, likely via API or web request.

Generated by OpenCVE AI on May 11, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Crabbox to version 0.9.0 or later, which resolves the admin claim injection bug.
  • Verify that the HMAC secret key used to sign user tokens is kept confidential and rotate it if there is any suspicion of compromise.
  • Ensure that user‑issued tokens cannot contain an admin claim; enforce strict validation rules for token payloads so admin privileges can only be granted by the system itself.

Generated by OpenCVE AI on May 11, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin token can craft a user-token payload with admin: true, sign it using HMAC-SHA256, and present it to admin-only coordinator routes to gain full coordinator admin access including lease visibility, pool state management, and forced release operations.
Title Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection
Weaknesses CWE-290
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T18:35:52.217Z

Reserved: 2026-05-11T14:14:49.611Z

Link: CVE-2026-45223

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-11T19:16:28.103

Modified: 2026-05-11T19:16:28.103

Link: CVE-2026-45223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:30:06Z

Weaknesses