Home / Vulnerability Intelligence / CVE-2026-8621

CVE-2026-8621 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: May 14, 2026

Crabbox - Authentication Bypass

Published: May 14, 2026Updated: May 14, 2026Remote Exploitable

Overview

Crabbox < 0.12.0 contains an authentication bypass caused by spoofing identity headers in requests authenticated with a shared token, letting non-admin attackers impersonate owners or organizations to bypass authorization checks.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Non-admin attackers can impersonate owners or organizations to access victim accounts' scoped lease operations, bypassing authorization.

Mitigation

Update to version 0.12.0 or later.

References

https://github.com/openclaw/crabbox/commit/b657323f1d1c954cefc8444571fa6c45a8896e7f
https://github.com/openclaw/crabbox/pull/70
https://github.com/openclaw/crabbox/releases/tag/v0.12.0
https://www.vulncheck.com/advisories/crabbox-authentication-bypass-via-header-spoofing

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-8621
Severity: High
CVSS Score: 8.8
Type: broken_authentication
Status: new

CWE

CWE-287

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H