Description
Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin token can craft a user-token payload with admin: true, sign it using HMAC-SHA256, and present it to admin-only coordinator routes to gain full coordinator admin access including lease visibility, pool state management, and forced release operations.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- openclaw / crabbox0 – 0.9.0
- openclaw / crabbox46079f6de7f10cf61bc47efebd0c143a41664898 – 46079f6de7f10cf61bc47efebd0c143a41664898
References
- PATCHhttps://github.com/openclaw/crabbox/releases/tag/v0.9.0
- PATCHhttps://github.com/openclaw/crabbox/pull/64
- PATCHhttps://github.com/openclaw/crabbox/commit/46079f6de7f10cf61bc47efebd0c143a41664898
- VENDOR_ADVISORYhttps://www.vulncheck.com/advisories/crabbox-authentication-bypass-via-admin-claim-injection