PT-2026-39729 · Crabbox · Crabbox
Hinotoi-Agent
·
Published
2026-05-11
·
Updated
2026-05-11
·
CVE-2026-45223
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Crabbox versions prior to 0.9.0
Description
An authentication bypass exists in the coordinator user-token verification path. The
verifyUserToken() function fails to reject payloads containing an admin claim, which allows attackers to escalate privileges. An attacker with access to a shared non-admin token can craft a user-token payload with the admin variable set to true, sign it using HMAC-SHA256 (a cryptographic hash function used for verifying data integrity), and access admin-only coordinator routes. This provides full coordinator admin access, including lease visibility, pool state management, and forced release operations.Recommendations
Update to version 0.9.0 or later.
Exploit
Fix
LPE
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Crabbox