Skip to main content

Crabbox EUVDEUVD-2026-30419

| CVE-2026-8629 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-14 VulnCheck GHSA-23m9-rr4p-xpwh
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (VulnCheck) · only source for this CVE.

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
May 14, 2026 - 20:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 14, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
May 14, 2026 - 20:22 NVD
8.1 (HIGH) 8.6 (HIGH)
Source Code Evidence Fetched
May 14, 2026 - 19:46 vuln.today
Analysis Generated
May 14, 2026 - 19:46 vuln.today
CVE Published
May 14, 2026 - 19:11 nvd
HIGH 8.1

DescriptionCVE.org

Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions.

AnalysisAI

Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.

Technical ContextAI

Crabbox is an infrastructure management platform (openclaw/crabbox) that orchestrates ephemeral compute leases across cloud providers with role-based visibility controls. The vulnerability stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the application fails to validate whether the authenticated user's permission level (visibility-only vs. full control) authorizes privileged operations before issuing bridge-agent tickets. The affected endpoints generate time-limited JWT or session tokens for three critical lease-side services: Code (remote code execution/shell access), WebVNC (remote desktop/graphical access), and Egress (data exfiltration/network bridge). According to CPE cpe:2.3:a:openclaw:crabbox:*:*:*:*:*:*:*:*, all versions before v0.12.0 are vulnerable. The CVSS vector (AV:N/AC:L/PR:L) indicates the endpoints are remotely accessible via network APIs with no additional complexity barriers once a low-privilege user authenticates. The attack surface exists wherever Crabbox deployments implement shared visibility permissions, a common pattern in multi-tenant or team-based infrastructure-as-code workflows.

RemediationAI

Upgrade immediately to Crabbox v0.12.0 or later from https://github.com/openclaw/crabbox/releases/tag/v0.12.0, which contains the authorization fix in commit 95cb30dc7dbaa1fef690a42ef6ac1cb6e307a191 per pull request https://github.com/openclaw/crabbox/pull/71. For environments unable to upgrade immediately, implement network-level access controls to restrict API endpoint access (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket) to only fully-privileged users through reverse proxy rules or API gateway policies, though this workaround does not address the underlying authorization flaw and may break legitimate visibility-only workflows. Audit existing lease access logs for POST requests to the three ticket endpoints from users with visibility-only permissions to detect potential historical exploitation. Review and rotate any bridge-agent credentials or session tokens that may have been obtained by unauthorized users. No configuration-only mitigation fully resolves the vulnerability; code upgrade is required for complete remediation.

Share

EUVD-2026-30419 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy