Product
Crabbox before 0.9.0 is vulnerable to an authentication bypass (CVE-2026-45223) in the coordinator user-token verification, allowing attackers with a non-admin token to escalate privileges to full coordinator admin access by crafting a malicious user-token with an 'admin: true' claim.