Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token to bypass authorization checks and access owner/org-scoped lease operations belonging to victim accounts.
AnalysisAI
Authentication bypass in Crabbox versions prior to v0.12.0 allows authenticated attackers with shared-token access to impersonate arbitrary owners or organizations. By injecting crafted X-Crabbox-Owner and X-Crabbox-Org headers in API requests, attackers can bypass authorization checks and gain full access to victim lease operations across organizational boundaries. VulnCheck reported this vulnerability, and a vendor-released patch is available in version v0.12.0. CVSS 8.7 (High) reflects network-accessible exploitation with low privileges required, high impact to confidentiality, integrity, and availability within the vulnerable component scope.
Technical ContextAI
Crabbox is an infrastructure automation tool by OpenClaw for managing ephemeral compute leases across cloud providers (AWS, Azure, Proxmox, Tensorlake). This vulnerability stems from CWE-287 (Improper Authentication) where the shared-token authentication mechanism trusts client-supplied identity headers without proper validation. The application uses X-Crabbox-Owner and X-Crabbox-Org headers to scope authorization for lease operations but fails to verify these headers against the authenticated token's actual permissions. This is a classic header injection attack against multi-tenant systems where header-based routing or scoping bypasses the underlying authentication layer. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation requiring only low-privilege (shared-token) credentials, with no additional attack complexity.
RemediationAI
Upgrade immediately to Crabbox v0.12.0 or later, released 2026-05-12, which contains the authentication fix per vendor release notes at https://github.com/openclaw/crabbox/releases/tag/v0.12.0. The security patch is implemented in commit b657323f1d1c954cefc8444571fa6c45a8896e7f and pull request https://github.com/openclaw/crabbox/pull/70. If immediate upgrade is not possible, disable shared-token authentication and migrate to individual per-user API tokens with strict owner/organization binding at the authentication layer (not header-based). As a temporary workaround, implement reverse-proxy header filtering to strip or validate X-Crabbox-Owner and X-Crabbox-Org headers before they reach the Crabbox application - however, this introduces operational complexity and potential for misconfiguration, so treat it as a bridge to upgrading, not a permanent control. Review audit logs for suspicious owner/org switches in requests with shared-token authentication to identify potential prior exploitation.
Crabbox versions before 0.12.0 leak local secrets through environment variable forwarding during remote command executio
Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to
Authentication bypass in Crabbox coordinator allows privilege escalation to full admin access. Attackers holding valid l
Path traversal in Crabbox <0.9.0 allows local attackers to delete or overwrite arbitrary files via malicious .crabbox.ya
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30369
GHSA-4g9m-rffv-h6wq