CVE-2026-8621: Crabbox Authentication Bypass Allows Impersonation

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityauthentication-bypasscwe-287
CVE-2026-8621: Crabbox Authentication Bypass Allows Impersonation

The National Vulnerability Database has detailed CVE-2026-8621, a high-severity authentication bypass vulnerability in Crabbox prior to v0.12.0. This flaw allows non-admin users with a shared token to impersonate other owners or organizations.

Attackers can exploit this by injecting malicious X-Crabbox-Owner and X-Crabbox-Org headers into requests. When authenticated with a shared token, these forged headers bypass authorization checks, granting unauthorized access to owner/org-scoped lease operations belonging to victim accounts. This is a critical authorization failure, enabling broad access.

With a CVSS score of 8.8 (HIGH), this vulnerability (CWE-287) represents a significant risk. Any organization utilizing Crabbox versions older than v0.12.0 is exposed to potential account takeover and unauthorized data manipulation. The attacker’s calculus here is straightforward: leverage a weak authorization model to gain privileged access, potentially leading to data exfiltration or service disruption without needing to compromise credentials.

What This Means For You

  • If your organization uses Crabbox, you need to immediately verify your version. Prioritize upgrading to v0.12.0 or later to patch CVE-2026-8621. Audit logs for any suspicious header injections or unauthorized lease operations, particularly from shared token users. This isn't just a hypothetical; it's a direct path for an attacker to bypass your access controls.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Valid Accounts Persistence T1552.001 Steal or Forge Credentials: Stored Credentials Credential Access T1134.004 Access Token Manipulation: Token Impersonation/Theft Privilege Escalation

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1078.004 Privilege Escalation

CVE-2026-8621: Crabbox Authentication Bypass via Spoofed Headers

Sigma YAML — free preview 
title: CVE-2026-8621: Crabbox Authentication Bypass via Spoofed Headers
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects attempts to bypass authentication in Crabbox versions prior to v0.12.0 by injecting spoofed 'X-Crabbox-Owner' and 'X-Crabbox-Org' headers in requests targeting lease operations. This indicates an attacker using a shared token to impersonate other owners or organizations, exploiting CVE-2026-8621.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8621/
tags:
  - attack.privilege_escalation
  - attack.t1078.004
logsource:
    category: webserver
detection:
  selection:
      cs-method: 
          - 'POST'
          - 'PUT'
      uri|contains:
          - '/leases'
  selection_headers:
      X-Crabbox-Owner|contains:
          - 'victim_owner_id'
      X-Crabbox-Org|contains:
          - 'victim_org_id'
  condition: selection AND selection_headers
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8621 Auth Bypass Crabbox prior to v0.12.0
CVE-2026-8621 Auth Bypass Spoofing X-Crabbox-Owner header
CVE-2026-8621 Auth Bypass Spoofing X-Crabbox-Org header
CVE-2026-8621 Auth Bypass Impersonation of other owners or organizations via shared-token authentication

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8634: Crabbox Environment Variable Exposure Critical Vulnerability

CVE-2026-8634 — Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward...

vulnerabilityCVEcriticalhigh-severitycwe-94
/SCW Vulnerability Desk /CRITICAL /9.1 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-8629: Crabbox Privilege Escalation Puts Shared Environments at Risk

CVE-2026-8629 — Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent...

vulnerabilityCVEhigh-severityprivilege-escalationcwe-639
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 5 IOCs /⚙ 3 Sigma

Amazon SageMaker Python SDK: RCE via Missing Integrity Verification (CVE-2026-8597)

CVE-2026-8597 — Missing integrity verification in the Triton inference handler in Amazon SageMaker Python SDK v2 before v2.257.2 and v3 before v3.8.0 might allow a...

vulnerabilityCVEhigh-severitycode-executioncwe-354
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma