Authentication Bypass Vulnerability in Crabbox by OpenClaw
CVE-2026-8621

8.7HIGH

Key Information:

Vendor: Openclaw
Status: Crabbox
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-8621?

Crabbox versions prior to v0.12.0 are susceptible to an authentication bypass vulnerability that allows attackers to impersonate other owners or organizations. This is achieved through the injection of malicious headers, specifically X-Crabbox-Owner and X-Crabbox-Org, which circumvent existing authorization mechanisms. As a result, non-admin shared-token callers can inadvertently gain access to sensitive operations related to victim accounts, compromising the integrity and confidentiality of their data.

Affected Version(s)

crabbox 0

crabbox 0 < 0.12.0

crabbox b657323f1d1c954cefc8444571fa6c45a8896e7f

References

https://github.com/openclaw/crabbox/releases/tag/v0.12.0

release-notes

https://github.com/openclaw/crabbox/pull/70

issue-tracking

https://github.com/openclaw/crabbox/commit/b657323f1d1c95...

patch

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 14, 2026

Credit

Chia Min Jun Lennon

CVE-2026-8621 Data

JSON

Openclaw

What is CVE-2026-8621?

Affected Version(s)

References

CVSS V4

Timeline

Credit