High severity8.8NVD Advisory· Published May 11, 2026· Updated May 12, 2026

CVE-2026-45223

Description

Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin token can craft a user-token payload with admin: true, sign it using HMAC-SHA256, and present it to admin-only coordinator routes to gain full coordinator admin access including lease visibility, pool state management, and forced release operations.

Affected products

OpenClaw/Crabboxreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/openclaw/crabbox/commit/46079f6de7f10cf61bc47efebd0c143a41664898nvd
github.com/openclaw/crabbox/pull/64nvd
github.com/openclaw/crabbox/releases/tag/v0.9.0nvd
www.vulncheck.com/advisories/crabbox-authentication-bypass-via-admin-claim-injectionnvd

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000