Privilege Escalation Vulnerability in Crabbox by OpenClaw
CVE-2026-8629

8.6HIGH

Key Information:

Vendor: Openclaw
Status: Crabbox
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-8629?

Crabbox versions before 0.12.0 are susceptible to a privilege escalation vulnerability that permits users with merely visibility permissions to access Code, WebVNC, and Egress agent tickets. By exploiting weak access control measures on various ticket endpoints, such as /v1/leases/:id/code/ticket and others, attackers can impersonate legitimate lease-side bridges. This flaw exposes critical components to unauthorized actions, highlighting the need for enhanced access control and timely updates.

Affected Version(s)

crabbox 0

crabbox 0 < 0.12.0

crabbox 95cb30dc7dbaa1fef690a42ef6ac1cb6e307a191

References

https://github.com/openclaw/crabbox/releases/tag/v0.12.0

release-notes

https://github.com/openclaw/crabbox/pull/71

issue-tracking

https://github.com/openclaw/crabbox/commit/95cb30dc7dbaa1...

patch

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 14, 2026

Credit

Chia Min Jun Lennon

CVE-2026-8629 Data

JSON

Openclaw

What is CVE-2026-8629?

Affected Version(s)

References

CVSS V4

Timeline

Credit