CVE-2026-45223
Received Received - Intake
Authentication Bypass in Crabbox Coordinator Token Handling

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: VulnCheck

Description
Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin token can craft a user-token payload with admin: true, sign it using HMAC-SHA256, and present it to admin-only coordinator routes to gain full coordinator admin access including lease visibility, pool state management, and forced release operations.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-11
EPSS Evaluated
2026-06-19
NVD
CVE-2026-45223
EUVD
EUVD-2026-29197
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw crabbox to 0.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-45223 allows attackers to escalate privileges to full coordinator admin access by bypassing authentication controls. This unauthorized access can lead to exposure and manipulation of sensitive data, lease visibility, and pool state management, which may compromise confidentiality, integrity, and availability of data.

Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

The vulnerability arises when shared tokens are used improperly, allowing attackers to forge admin claims in user tokens. This undermines the security boundary between normal users and administrators, increasing the risk of non-compliance.

The fix implemented in version 0.9.0 rejects caller-provided admin claims in user tokens and enforces proper authentication boundaries, helping to restore compliance with security requirements mandated by such regulations.

Executive Summary

CVE-2026-45223 is an authentication bypass vulnerability in Crabbox versions before 0.9.0. The issue lies in the coordinator's user-token verification process, specifically in the verifyUserToken() function, which fails to reject user tokens containing an admin claim. This flaw allows an attacker who has access to a shared non-admin token to craft a user-token payload with admin: true, sign it using HMAC-SHA256, and gain unauthorized admin access to coordinator-only routes.

The vulnerability arises because the authentication logic incorrectly accepts admin claims in user tokens, collapsing the separation between normal user access and admin access. The attacker can exploit this to perform actions reserved for administrators, such as viewing leases, managing pool states, and forcing release operations.

The fix in version 0.9.0 removes the admin field from the user token payload schema, rejects any user token containing an admin claim, and ensures that verified user tokens are mapped to a non-admin context by default.

Impact Analysis

This vulnerability can have significant security impacts by allowing an attacker with access to a shared non-admin token to escalate their privileges to full coordinator admin access.

  • Unauthorized visibility into lease information.
  • Ability to manage pool states, potentially disrupting normal operations.
  • Capability to force release operations, which could affect resource availability.

Because exploitation requires only low privileges and no user interaction, it poses a high risk in environments where token secrets are not properly isolated.

Detection Guidance

This vulnerability involves an attacker crafting user tokens with an admin claim that are incorrectly accepted by the system. Detection involves inspecting user tokens for unauthorized admin claims and monitoring access to admin-only coordinator routes.

You can detect potential exploitation by checking logs for user tokens containing an admin claim or by verifying tokens using scripts that decode and inspect the payload for the presence of an admin: true field.

A suggested approach is to extract and decode JWT or HMAC-SHA256 signed tokens used by Crabbox and check if the payload contains an admin claim. For example, if tokens are base64 encoded, you can decode them using commands like:

  • echo '<token_part>' | base64 --decode | jq '.' # to inspect the token payload
  • grep or search logs for tokens or requests containing 'admin: true' in the payload

Additionally, monitoring access patterns to admin-only coordinator routes for unexpected user tokens can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade Crabbox to version 0.9.0 or later, where the vulnerability has been fixed by rejecting any user tokens containing admin claims and enforcing proper authentication boundaries.

If upgrading immediately is not possible, ensure that the shared token fallback (CRABBOX_SHARED_TOKEN) is not used as the HMAC key for user tokens, and configure a distinct session secret (CRABBOX_SESSION_SECRET) to prevent token forgery.

Review and restrict access to the shared non-admin token to prevent attackers from crafting forged tokens.

Monitor and audit user tokens and access logs for suspicious admin claims in tokens and unauthorized access to admin-only routes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart