CVE-2026-8629: Crabbox Privilege Escalation Puts Shared Environments at Risk

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-639
CVE-2026-8629: Crabbox Privilege Escalation Puts Shared Environments at Risk

The National Vulnerability Database has detailed CVE-2026-8629, a high-severity privilege escalation vulnerability in Crabbox versions prior to v0.12.0. This flaw allows users with only visibility access to obtain critical agent tickets for Code, WebVNC, and Egress functionalities. The root cause lies in insufficient access control checks on specific ticket endpoints, enabling attackers to impersonate trusted lease-side bridges.

Attackers can exploit this by sending crafted POST requests to /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket. Despite their limited permissions, successful exploitation grants them bridge-agent tickets, effectively elevating their privileges. This vulnerability is rated 8.1 (HIGH) on the CVSS scale, underscoring the significant risk of unauthorized access and potential control over affected systems.

This isn’t just a theoretical vulnerability; it’s a direct path to deeper compromise. For environments relying on Crabbox for secure, segmented access, this flaw completely undermines the principle of least privilege. Defenders need to recognize that an attacker gaining these tickets isn’t just seeing data — they’re gaining the keys to manipulate and exfiltrate information, or establish persistent access, bypassing carefully constructed access controls.

What This Means For You

  • If your organization uses Crabbox, you must immediately patch to v0.12.0 or later to mitigate CVE-2026-8629. Review your access logs for any anomalous POST requests to the `/v1/leases/:id/code/ticket`, `/v1/leases/:id/webvnc/ticket`, and `/v1/leases/:id/egress/ticket` endpoints from users with limited visibility permissions. This is a critical privilege escalation that can lead to full system compromise.

Related ATT&CK Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation T1529 System Shutdown/Reboot Impact T1204.002 Malicious File Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1068 Privilege Escalation

CVE-2026-8629: Crabbox Privilege Escalation via Ticket Endpoint Access

Sigma YAML — free preview 
title: CVE-2026-8629: Crabbox Privilege Escalation via Ticket Endpoint Access
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
  Detects POST requests to specific Crabbox ticket endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket) which are exploited in CVE-2026-8629 for privilege escalation by users with only visibility permissions.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8629/
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
    category: webserver
detection:
  selection:
      cs-method:
          - 'POST'
      cs-uri:
          - '/v1/leases/*/code/ticket'
          - '/v1/leases/*/webvnc/ticket'
          - '/v1/leases/*/egress/ticket'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8629 Privilege Escalation Crabbox prior to v0.12.0
CVE-2026-8629 Privilege Escalation Insufficient access control checks
CVE-2026-8629 Privilege Escalation POST request to /v1/leases/:id/code/ticket
CVE-2026-8629 Privilege Escalation POST request to /v1/leases/:id/webvnc/ticket
CVE-2026-8629 Privilege Escalation POST request to /v1/leases/:id/egress/ticket

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 23:17 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-45370: python-utcp Exposes Process Secrets via Environment Variables

CVE-2026-45370 — python-utcp is the python implementation of UTCP. Prior to 1.1.3, _prepare_environment() in cli_communication_protocol.py passes a full copy of os.environ to every CLI subprocess....

vulnerabilityCVEhigh-severitycwe-526
/SCW Vulnerability Desk /HIGH /7.7 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-45369: Python-UTCP RCE via Unsanitized Shell Commands

CVE-2026-45369 — python-utcp is the python implementation of UTCP. Prior to 1.1.3, the _substitute_utcp_args method in cli_communication_protocol.py inserts user-controlled tool_args values directly into shell command...

vulnerabilityCVEhigh-severitycwe-78
/SCW Vulnerability Desk /HIGH /8.3 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-44673: libyang Integer Overflow Leads to Heap Corruption

CVE-2026-44673 — libyang is a YANG data modeling language library. Prior to SO 5.2.15, lyb_read_string() in src/parser_lyb.c contains an integer overflow that results in a...

vulnerabilityCVEhigh-severitybuffer-overflowcwe-190
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 3 IOCs /⚙ 2 Sigma