CVE-2026-45223: Crabbox Authentication Bypass Allows Admin Privilege Escalation

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityauthentication-bypasscwe-290
CVE-2026-45223: Crabbox Authentication Bypass Allows Admin Privilege Escalation

The National Vulnerability Database has detailed CVE-2026-45223, an authentication bypass vulnerability in Crabbox versions prior to 0.9.0. This flaw resides in the verifyUserToken() function, which incorrectly validates user-token payloads. Specifically, the function fails to reject payloads that contain an admin: true claim, even when presented with a non-admin token.

Attackers with access to a shared non-admin token can exploit this by crafting a malicious user-token payload. By signing this payload with HMAC-SHA256 and injecting admin: true, they can present it to admin-only coordinator routes. This grants full administrator access, including visibility into leases, pool state management, and the ability to force release operations. The National Vulnerability Database assigns this a CVSS score of 8.8 (High).

This vulnerability represents a critical breakdown in authorization, allowing unprivileged actors to gain complete control over the Crabbox coordinator. It’s a classic example of insufficient input validation leading directly to privilege escalation, undermining the entire security model of the application.

What This Means For You

  • If your organization uses Crabbox, you need to prioritize upgrading to version 0.9.0 or later immediately. This isn't theoretical; an attacker with even basic access can become an admin. Review your Crabbox deployment for any signs of unauthorized admin activity, particularly around lease management and pool state changes, which could indicate exploitation.

Related ATT&CK Techniques

T1078.002 Valid Accounts: Default Accounts Privilege Escalation T1552.001 Credentials In Files: Local Admin Credential Access T1134.004 Access Token Manipulation: Token Impersonation/Theft Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1078.002 Privilege Escalation

CVE-2026-45223: Crabbox Authentication Bypass with Admin Claim

Sigma YAML — free preview 
title: CVE-2026-45223: Crabbox Authentication Bypass with Admin Claim
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  Detects attempts to bypass Crabbox authentication by crafting a user-token payload with an 'admin=true' claim, targeting coordinator routes. This is specific to CVE-2026-45223 where the verifyUserToken() function fails to reject such payloads, leading to privilege escalation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-45223/
tags:
  - attack.privilege_escalation
  - attack.t1078.002
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/coordinator'
      cs-method|contains:
          - 'POST'
      cs-uri-query|contains:
          - 'admin=true'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-45223 Auth Bypass Crabbox before 0.9.0
CVE-2026-45223 Privilege Escalation Crabbox before 0.9.0
CVE-2026-45223 Auth Bypass coordinator user-token verification path
CVE-2026-45223 Auth Bypass verifyUserToken() function fails to reject payloads containing an admin claim
CVE-2026-45223 Privilege Escalation Crafting user-token payload with admin: true and signing with HMAC-SHA256

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....

vulnerabilityCVEhigh-severityauthentication-bypasscwe-287cwe-288
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery

CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...

vulnerabilityCVEmedium-severitycwe-400cwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 2 Sigma