High severity8.8NVD Advisory· Published May 14, 2026· Updated May 15, 2026
CVE-2026-8621
CVE-2026-8621
Description
Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token to bypass authorization checks and access owner/org-scoped lease operations belonging to victim accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openclaw/crabboxGo | < 0.12.0 | 0.12.0 |
Affected products
2Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-4g9m-rffv-h6wqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-8621ghsaADVISORY
- github.com/openclaw/crabbox/commit/b657323f1d1c954cefc8444571fa6c45a8896e7fnvdWEB
- github.com/openclaw/crabbox/pull/70nvdWEB
- github.com/openclaw/crabbox/releases/tag/v0.12.0nvdWEB
- www.vulncheck.com/advisories/crabbox-authentication-bypass-via-header-spoofingnvdWEB
News mentions
0No linked articles in our index yet.