Authentication Bypass Vulnerability in Crabbox by OpenClaw
CVE-2026-45223

7.7HIGH

Key Information:

Vendor: Openclaw
Status: Crabbox
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-45223?

Crabbox prior to version 0.9.0 is vulnerable to an authentication bypass that affects the user-token verification process. The vulnerability arises in the verifyUserToken() function, which improperly accepts payloads that include an admin claim. This oversight enables an attacker with access to a non-admin shared token to forge a user-token payload marked with 'admin: true'. By doing so, they can present this payload to protected admin routes, allowing them to bypass standard authentication measures. This grants unauthorized access to key functionalities such as lease visibility, pool state management, and other admin-level operations.

Affected Version(s)

crabbox 0

crabbox 0 < 0.9.0

crabbox 46079f6de7f10cf61bc47efebd0c143a41664898

References

https://github.com/openclaw/crabbox/releases/tag/v0.9.0

release-notes

https://github.com/openclaw/crabbox/pull/64

issue-tracking

https://github.com/openclaw/crabbox/commit/46079f6de7f10c...

patch

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 11, 2026

Credit

Chia Min Jun Lennon

CVE-2026-45223 Data

JSON

Openclaw

What is CVE-2026-45223?

Affected Version(s)

References

CVSS V4

Timeline

Credit