PT-2026-39729 · Crabbox · Crabbox

Hinotoi-Agent

·

Published

2026-05-11

·

Updated

2026-05-11

·

CVE-2026-45223

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Crabbox versions prior to 0.9.0
Description An authentication bypass exists in the coordinator user-token verification path. The verifyUserToken() function fails to reject payloads containing an admin claim, which allows attackers to escalate privileges. An attacker with access to a shared non-admin token can craft a user-token payload with the admin variable set to true, sign it using HMAC-SHA256 (a cryptographic hash function used for verifying data integrity), and access admin-only coordinator routes. This provides full coordinator admin access, including lease visibility, pool state management, and forced release operations.
Recommendations Update to version 0.9.0 or later.

Exploit

Fix

LPE

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45223

Affected Products

Crabbox