Crabbox versions prior to 0.12.0 suffer from a privilege escalation flaw that lets any user who has only shared visibility rights acquire agent tickets for Code, WebVNC, and Egress services. By sending unauthenticated POST requests to the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket and /v1/leases/:id/egress/ticket endpoints, an attacker can obtain bridge‑agent tickets and impersonate a trusted bridge on the lease side. Because the application does not enforce proper access control on those endpoints, the attacker gains elevated privileges beyond visibility, effectively bypassing the intended permission model. This vulnerability is a classic example of insufficient authorization checks (CWE-639).

The openclaw:crabbox application is affected. Any deployment of Crabbox earlier than version 0.12.0 is vulnerable. The issue was addressed in release v0.12.0, so versions 0.12.0 and later are considered safe.

The CVSS score of 8.6 indicates high severity and potential for significant impact. No EPSS score is currently available, but the vulnerability has been publicly documented and exploitability is likely via normal HTTP traffic. Although it is not listed in the CISA KEV catalog, the flaw enables privilege escalation and could be weaponized remotely against exposed instances. Attackers with only visibility permissions can use standard HTTP POST requests to leak privileged tickets, making exploitation straightforward for attackers who can reach the service.