CVE-2026-8621
published 2026-05-14CVE-2026-8621: Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.36%
28.0th percentile
Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token to bypass authorization checks and access owner/org-scoped lease operations belonging to victim accounts.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | openclaw_crabbox | >= 0 < 0.12.0 | 0.12.0 |
| openclaw | crabbox | < 0.12.0 | 0.12.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
openclaw crabbox up to 0.11.x improper authentication
vuldb·2026-05-15·CVSS 8.7
CVE-2026-8621 [HIGH] openclaw crabbox up to 0.11.x improper authentication
A vulnerability, which was classified as critical, has been found in openclaw crabbox up to 0.11.x. Affected is an unknown function. This manipulation causes improper authentication.
The identification of this vulnerability is CVE-2026-8621. It is possible to initiate the attack remotely. There is no exploit available.
It is advisable to upgrade the affected component.
GHSA
GHSA-4g9m-rffv-h6wq: Crabbox prior to v0
ghsa_unreviewed·2026-05-14
CVE-2026-8621 [HIGH] CWE-287 GHSA-4g9m-rffv-h6wq: Crabbox prior to v0
Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token to bypass authorization checks and access owner/org-scoped lease operations belonging to victim accounts.
GHSA
Crabbox: authentication bypass vulnerability that allows impersonation of others by spoofing identity headers
ghsa·2026-05-14
CVE-2026-8621 [HIGH] CWE-287 Crabbox: authentication bypass vulnerability that allows impersonation of others by spoofing identity headers
Crabbox: authentication bypass vulnerability that allows impersonation of others by spoofing identity headers
Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token to bypass authorization checks and access owner/org-scoped lease operations belonging to victim accounts.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-14
Published