Skip to main content

Crabbox EUVDEUVD-2026-29197

| CVE-2026-45223 HIGH
Authentication Bypass by Spoofing (CWE-290)
2026-05-11 VulnCheck GHSA-27v8-7qqq-m35q
7.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Re-analysis Queued
May 11, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
May 11, 2026 - 19:22 NVD
8.8 (HIGH) 7.7 (HIGH)
Source Code Evidence Fetched
May 11, 2026 - 19:01 vuln.today
Analysis Generated
May 11, 2026 - 19:01 vuln.today
CVE Published
May 11, 2026 - 18:12 nvd
HIGH 8.8

DescriptionCVE.org

Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin token can craft a user-token payload with admin: true, sign it using HMAC-SHA256, and present it to admin-only coordinator routes to gain full coordinator admin access including lease visibility, pool state management, and forced release operations.

AnalysisAI

Authentication bypass in Crabbox coordinator allows privilege escalation to full admin access. Attackers holding valid low-privilege user tokens can inject an admin claim into the token payload, sign it with HMAC-SHA256, and authenticate to admin-restricted coordinator endpoints. This grants unauthorized access to lease visibility across all users, pool state management, and forced release operations. Patch available in version 0.9.0 with upstream commit confirmed. No active exploitation (CISA KEV) or public POC identified at time of analysis, but CVSS 8.8 reflects network-accessible attack with low complexity once initial authentication is obtained.

Technical ContextAI

Crabbox is an infrastructure coordination service (cpe:2.3:a:openclaw:crabbox) that manages compute leases across multiple providers including E2B, Daytona, Islo, and Namespace. The vulnerability exists in the JWT-style user token verification logic within the coordinator component. CWE-290 (Authentication Bypass by Spoofing) indicates the verifyUserToken() function trusts client-controlled claims without proper validation. In JWT architectures, the standard security model requires the authorization server to be the sole issuer of sensitive claims like admin privileges. This implementation failed to reject or sanitize admin claims in user-supplied token payloads before HMAC-SHA256 signature verification, allowing horizontal privilege escalation. The shared secret used for HMAC signing is apparently accessible to authenticated users, enabling them to forge valid signatures for modified payloads. Affected routes include admin-only coordinator endpoints governing cross-tenant lease visibility, resource pool state mutations, and forced lease termination.

RemediationAI

Upgrade immediately to Crabbox version 0.9.0 or later, which includes the verified fix in commit 46079f6de7f10cf61bc47efebd0c143a41664898 (https://github.com/openclaw/crabbox/commit/46079f6de7f10cf61bc47efebd0c143a41664898). The patch modifies verifyUserToken() to explicitly reject caller-provided admin claims before granting coordinator access, per release notes at https://github.com/openclaw/crabbox/releases/tag/v0.9.0. If immediate upgrade is not feasible, implement network-level access controls restricting coordinator admin endpoints to trusted IP ranges or internal management networks only, though this mitigation does not address insider threats or compromised low-privilege accounts within the trusted perimeter. Rotate all coordinator HMAC signing secrets after patching to invalidate any attacker-forged tokens, though this requires coordination across all legitimate users and may cause service disruption. Audit coordinator access logs for anomalous admin operations from accounts that should not have admin privileges, particularly lease queries spanning multiple tenants, pool state changes, or forced release commands. The trade-off for pre-patch network restrictions is reduced operational flexibility for legitimate remote administration.

Share

EUVD-2026-29197 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy