CVE-2026-8621HIGH 8.8EPSS p27.8%

CVE-2026-8621CVE-2026-8621

Description

Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token to bypass authorization checks and access owner/org-scoped lease operations belonging to victim accounts.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.36% probability of exploitation · percentile 27.8% · 2026-06-18T12:00:27Z
Published2026-05-14
Last modified2026-05-15

Underlying weaknesses· 1

CWE-287

References

  1. https://github.com/openclaw/crabbox/commit/b657323f1d1c954cefc8444571fa6c45a8896e7f
  2. https://github.com/openclaw/crabbox/pull/70
  3. https://github.com/openclaw/crabbox/releases/tag/v0.12.0
  4. https://www.vulncheck.com/advisories/crabbox-authentication-bypass-via-header-spoofing

1

TypeTargetConfidenceTier
WeaknessImproper Authenticationcwe-2870%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45223
CVE
CVE-2026-8629
CVE
CVE-2026-8634
CVE
CVE-2026-32051
CVE
CVE-2026-4525
CVE
CVE-2026-22172
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.