{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-8621/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-8621"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Crabbox \u003c v0.12.0"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","header-spoofing","cve-2026-8621"],"_cs_type":"advisory","_cs_vendors":["openclaw"],"content_html":"\u003cp\u003eCrabbox, a currently unspecified software, before version v0.12.0, is vulnerable to an authentication bypass. This flaw, identified as CVE-2026-8621, allows attackers using non-admin shared tokens to impersonate other owners or organizations. By injecting malicious \u003ccode\u003eX-Crabbox-Owner\u003c/code\u003e and \u003ccode\u003eX-Crabbox-Org\u003c/code\u003e headers, attackers can bypass authorization checks. This vulnerability was reported on May 14, 2026, and it impacts any Crabbox installations running versions prior to the fix in v0.12.0. Successful exploitation allows unauthorized access to owner/org-scoped lease operations belonging to victim accounts, leading to potential data breaches or service disruption.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a non-admin shared token for a Crabbox instance prior to v0.12.0.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request targeting owner/org-scoped lease operations.\u003c/li\u003e\n\u003cli\u003eThe attacker injects \u003ccode\u003eX-Crabbox-Owner\u003c/code\u003e and \u003ccode\u003eX-Crabbox-Org\u003c/code\u003e headers into the HTTP request, spoofing the identity of a victim owner or organization.\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates the request using the compromised shared token.\u003c/li\u003e\n\u003cli\u003eCrabbox fails to properly validate the injected headers against the authenticated token.\u003c/li\u003e\n\u003cli\u003eThe authorization check is bypassed due to the spoofed identity headers.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the victim\u0026rsquo;s owner/org-scoped lease operations.\u003c/li\u003e\n\u003cli\u003eThe attacker performs malicious actions, such as modifying or deleting lease information, potentially leading to data loss or service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8621 allows unauthorized access to sensitive lease operations within the Crabbox system. This can result in data breaches, data manipulation, or service disruption depending on the specific functions exposed and the scope of the lease operations. While the specific number of potential victims is unknown, any organization using Crabbox versions prior to v0.12.0 with shared token authentication enabled is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Crabbox to version v0.12.0 or later to patch CVE-2026-8621 (reference: \u003ca href=\"https://github.com/openclaw/crabbox/releases/tag/v0.12.0\"\u003ehttps://github.com/openclaw/crabbox/releases/tag/v0.12.0\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Crabbox Authentication Bypass Attempt via Spoofed Headers\u0026rdquo; to identify exploitation attempts by monitoring for the presence of \u003ccode\u003eX-Crabbox-Owner\u003c/code\u003e and \u003ccode\u003eX-Crabbox-Org\u003c/code\u003e headers in requests.\u003c/li\u003e\n\u003cli\u003eReview and restrict the usage of shared tokens in Crabbox to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement input validation on the \u003ccode\u003eX-Crabbox-Owner\u003c/code\u003e and \u003ccode\u003eX-Crabbox-Org\u003c/code\u003e headers if shared tokens are required, ensuring they match the authenticated user\u0026rsquo;s expected identity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-14T19:18:12Z","date_published":"2026-05-14T19:18:12Z","id":"https://feed.craftedsignal.io/briefs/2026-05-crabbox-auth-bypass/","summary":"Crabbox prior to v0.12.0 contains an authentication bypass vulnerability (CVE-2026-8621) that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers, granting unauthorized access to lease operations.","title":"Crabbox Authentication Bypass via Header Spoofing (CVE-2026-8621)","url":"https://feed.craftedsignal.io/briefs/2026-05-crabbox-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-8621","version":"https://jsonfeed.org/version/1.1"}