Skip to main content

Crabbox EUVDEUVD-2026-30369

| CVE-2026-8621 HIGH
Improper Authentication (CWE-287)
2026-05-14 VulnCheck GHSA-4g9m-rffv-h6wq
8.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
May 14, 2026 - 19:31 vuln.today
Analysis Generated
May 14, 2026 - 19:31 vuln.today
CVSS changed
May 14, 2026 - 19:22 NVD
8.8 (HIGH) 8.7 (HIGH)
CVE Published
May 14, 2026 - 18:46 nvd
HIGH 8.7

DescriptionCVE.org

Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token to bypass authorization checks and access owner/org-scoped lease operations belonging to victim accounts.

AnalysisAI

Authentication bypass in Crabbox versions prior to v0.12.0 allows authenticated attackers with shared-token access to impersonate arbitrary owners or organizations. By injecting crafted X-Crabbox-Owner and X-Crabbox-Org headers in API requests, attackers can bypass authorization checks and gain full access to victim lease operations across organizational boundaries. VulnCheck reported this vulnerability, and a vendor-released patch is available in version v0.12.0. CVSS 8.7 (High) reflects network-accessible exploitation with low privileges required, high impact to confidentiality, integrity, and availability within the vulnerable component scope.

Technical ContextAI

Crabbox is an infrastructure automation tool by OpenClaw for managing ephemeral compute leases across cloud providers (AWS, Azure, Proxmox, Tensorlake). This vulnerability stems from CWE-287 (Improper Authentication) where the shared-token authentication mechanism trusts client-supplied identity headers without proper validation. The application uses X-Crabbox-Owner and X-Crabbox-Org headers to scope authorization for lease operations but fails to verify these headers against the authenticated token's actual permissions. This is a classic header injection attack against multi-tenant systems where header-based routing or scoping bypasses the underlying authentication layer. The CVSS vector AV:N/AC:L/PR:L indicates network-accessible exploitation requiring only low-privilege (shared-token) credentials, with no additional attack complexity.

RemediationAI

Upgrade immediately to Crabbox v0.12.0 or later, released 2026-05-12, which contains the authentication fix per vendor release notes at https://github.com/openclaw/crabbox/releases/tag/v0.12.0. The security patch is implemented in commit b657323f1d1c954cefc8444571fa6c45a8896e7f and pull request https://github.com/openclaw/crabbox/pull/70. If immediate upgrade is not possible, disable shared-token authentication and migrate to individual per-user API tokens with strict owner/organization binding at the authentication layer (not header-based). As a temporary workaround, implement reverse-proxy header filtering to strip or validate X-Crabbox-Owner and X-Crabbox-Org headers before they reach the Crabbox application - however, this introduces operational complexity and potential for misconfiguration, so treat it as a bridge to upgrading, not a permanent control. Review audit logs for suspicious owner/org switches in requests with shared-token authentication to identify potential prior exploitation.

Share

EUVD-2026-30369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy