The vulnerability in Crabbox finds that shared-token authentication does not adequately enforce ownership checks when identity headers are present. An attacker who possesses a non‑admin shared token can craft HTTP requests that include X‑Crabbox‑Owner and X‑Crabbox‑Org headers, causing the system to treat the request as belonging to a different owner or organization. This bypasses all authorization checks for lease operations that are scoped to an owner or organization, allowing the attacker to read, modify, or delete resources that belong to the victim account. The weakness is a classic authentication bypass (CWE‑287) that undermines both confidentiality and integrity of lease data.

This flaw is present in all releases of Crabbox older than version 0.12.0. The affected product is Crabbox, a container management platform produced by OpenClaw. Any instance of Crabbox running with a shared‑token authentication mechanism that predates v0.12.0 is vulnerable; the issue does not exist in releases 0.12.0 and later.

The CVSS score of 8.7 indicates a high severity. EPSS data is not available, so the current exploitation probability is unquantified. The vulnerability is not listed in CISA’s KEV catalog, though the presence of the flaw means that attackers with a shared token can easily compromise the account if they can guess or steal the token. Attackers can perform the exploitation remotely by sending crafted HTTP requests to the Crabbox API, and the attack does not require additional privileges beyond possession of a shared token. Because the flaw is an authentication bypass, the impact can be extensive for any compromised account.