{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/crabbox/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-45223"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Crabbox","Crabbox Coordinator (\u003c 0.9.0)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","privilege-escalation","cve"],"_cs_type":"advisory","_cs_vendors":["Crabbox"],"content_html":"\u003cp\u003eCrabbox, a data management system, contains an authentication bypass vulnerability, tracked as CVE-2026-45223, affecting versions prior to 0.9.0. The vulnerability lies within the coordinator\u0026rsquo;s user-token verification process. Specifically, the \u003ccode\u003everifyUserToken()\u003c/code\u003e function fails to properly validate user tokens, allowing an attacker possessing a valid, but non-administrative, user token to forge an administrative token. By crafting a user-token payload containing the \u003ccode\u003eadmin: true\u003c/code\u003e claim and signing it with HMAC-SHA256, an attacker can bypass authentication checks on admin-only coordinator routes. This grants them unauthorized access to sensitive coordinator functions, enabling them to view leases, manage pool states, and perform forced release operations. This vulnerability poses a significant risk to organizations using Crabbox, as it allows for complete takeover of the coordinator component and associated data management functions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a valid, non-administrative user token for the Crabbox coordinator. This could be achieved through legitimate user registration or compromise of an existing user account.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious user-token payload. The payload includes the \u003ccode\u003eadmin: true\u003c/code\u003e claim, which indicates administrative privileges.\u003c/li\u003e\n\u003cli\u003eAttacker signs the crafted payload using HMAC-SHA256, leveraging knowledge of the signing key (potentially obtained through other vulnerabilities or exposures).\u003c/li\u003e\n\u003cli\u003eAttacker presents the crafted and signed user token to an admin-only coordinator route.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003everifyUserToken()\u003c/code\u003e function fails to reject the payload due to the presence of the \u003ccode\u003eadmin: true\u003c/code\u003e claim, bypassing the intended authentication restrictions.\u003c/li\u003e\n\u003cli\u003eThe coordinator grants the attacker full administrator access based on the forged token.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the elevated privileges to access sensitive information, such as lease visibility and pool state management.\u003c/li\u003e\n\u003cli\u003eAttacker performs unauthorized actions, such as forced release operations or manipulation of pool configurations, leading to data corruption or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-45223 allows an attacker to gain complete control over the Crabbox coordinator component. This grants the attacker access to sensitive data management functions, including lease visibility, pool state management, and forced release operations. The attacker can manipulate pool configurations, potentially leading to data corruption or service disruption. Given the high CVSS score of 8.8, this vulnerability poses a significant risk to organizations using Crabbox. The number of potential victims is directly related to the number of Crabbox deployments using versions prior to 0.9.0. The sectors most affected would be those relying on Crabbox for critical data management processes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Crabbox to version 0.9.0 or later to patch CVE-2026-45223.\u003c/li\u003e\n\u003cli\u003eImplement monitoring and alerting for suspicious activity on the Crabbox coordinator, such as unexpected changes to pool configurations or unauthorized forced release operations.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Crabbox Coordinator Admin Claim Forgery\u0026rdquo; to detect attempts to forge admin tokens.\u003c/li\u003e\n\u003cli\u003eReview access controls and ensure that only authorized users have access to the Crabbox coordinator.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T19:17:44Z","date_published":"2026-05-11T19:17:44Z","id":"https://feed.craftedsignal.io/briefs/2026-05-crabbox-auth-bypass/","summary":"Crabbox before 0.9.0 is vulnerable to an authentication bypass (CVE-2026-45223) in the coordinator user-token verification, allowing attackers with a non-admin token to escalate privileges to full coordinator admin access by crafting a malicious user-token with an 'admin: true' claim.","title":"Crabbox Coordinator Authentication Bypass Vulnerability (CVE-2026-45223)","url":"https://feed.craftedsignal.io/briefs/2026-05-crabbox-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Crabbox","version":"https://jsonfeed.org/version/1.1"}