CVE-2026-45223 HIGH

CVE-2026-45223: Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection

Vendor Openclaw
Product crabbox
Weakness CWE-290
Published May 11, 2026
Last update May 11, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin token can craft a user-token payload with admin: true, sign it using HMAC-SHA256, and present it to admin-only coordinator routes to gain full coordinator admin access including lease visibility, pool state management, and forced release operations.

Key dates

02Disclosure timeline

May 11, 2026 CVE published
May 11, 2026 Record updated