CVE-2026-45223
Authentication Bypass in Crabbox Coordinator Token Handling
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | crabbox | to 0.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45223 is an authentication bypass vulnerability in Crabbox versions before 0.9.0. The issue lies in the coordinator's user-token verification process, specifically in the verifyUserToken() function, which fails to reject user tokens containing an admin claim. This flaw allows an attacker who has access to a shared non-admin token to craft a user-token payload with admin: true, sign it using HMAC-SHA256, and gain unauthorized admin access to coordinator-only routes.
The vulnerability arises because the authentication logic incorrectly accepts admin claims in user tokens, collapsing the separation between normal user access and admin access. The attacker can exploit this to perform actions reserved for administrators, such as viewing leases, managing pool states, and forcing release operations.
The fix in version 0.9.0 removes the admin field from the user token payload schema, rejects any user token containing an admin claim, and ensures that verified user tokens are mapped to a non-admin context by default.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-45223 allows attackers to escalate privileges to full coordinator admin access by bypassing authentication controls. This unauthorized access can lead to exposure and manipulation of sensitive data, lease visibility, and pool state management, which may compromise confidentiality, integrity, and availability of data.
Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.
The vulnerability arises when shared tokens are used improperly, allowing attackers to forge admin claims in user tokens. This undermines the security boundary between normal users and administrators, increasing the risk of non-compliance.
The fix implemented in version 0.9.0 rejects caller-provided admin claims in user tokens and enforces proper authentication boundaries, helping to restore compliance with security requirements mandated by such regulations.
How can this vulnerability impact me? :
This vulnerability can have significant security impacts by allowing an attacker with access to a shared non-admin token to escalate their privileges to full coordinator admin access.
- Unauthorized visibility into lease information.
- Ability to manage pool states, potentially disrupting normal operations.
- Capability to force release operations, which could affect resource availability.
Because exploitation requires only low privileges and no user interaction, it poses a high risk in environments where token secrets are not properly isolated.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker crafting user tokens with an admin claim that are incorrectly accepted by the system. Detection involves inspecting user tokens for unauthorized admin claims and monitoring access to admin-only coordinator routes.
You can detect potential exploitation by checking logs for user tokens containing an admin claim or by verifying tokens using scripts that decode and inspect the payload for the presence of an admin: true field.
A suggested approach is to extract and decode JWT or HMAC-SHA256 signed tokens used by Crabbox and check if the payload contains an admin claim. For example, if tokens are base64 encoded, you can decode them using commands like:
- echo '<token_part>' | base64 --decode | jq '.' # to inspect the token payload
- grep or search logs for tokens or requests containing 'admin: true' in the payload
Additionally, monitoring access patterns to admin-only coordinator routes for unexpected user tokens can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Crabbox to version 0.9.0 or later, where the vulnerability has been fixed by rejecting any user tokens containing admin claims and enforcing proper authentication boundaries.
If upgrading immediately is not possible, ensure that the shared token fallback (CRABBOX_SHARED_TOKEN) is not used as the HMAC key for user tokens, and configure a distinct session secret (CRABBOX_SESSION_SECRET) to prevent token forgery.
Review and restrict access to the shared non-admin token to prevent attackers from crafting forged tokens.
Monitor and audit user tokens and access logs for suspicious admin claims in tokens and unauthorized access to admin-only routes.