CVE-2026-45223 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 12, 2026
Crabbox - Authentication Bypass
Overview
Crabbox < 0.9.0 contains an authentication bypass caused by verifyUserToken() failing to reject admin claims in user-token payloads, letting attackers escalate privileges to full coordinator admin access, exploit requires access to shared non-admin token.
Severity & Score
Impact
Attackers can escalate privileges to full coordinator admin, gaining control over lease visibility, pool state, and forced release operations.
Mitigation
Update to version 0.9.0 or later.
References
Social Media Activity(2 posts)
š CVE-2026-45223 - High (8.8) Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges... š https://www.thehackerwire.com/vulnerability/CVE-2026-45223/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-45223 - High (8.8) Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges... š https://www.thehackerwire.com/vulnerability/CVE-2026-45223/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-45223
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_authentication
- Status
- rejected
- EPSS
- 7.9%
- Social Posts
- 2
CWE
- CWE-290
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H