CVE-2026-45223 – Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection

CVE ID :CVE-2026-45223

Published : May 11, 2026, 7:16 p.m. | 43 minutes ago

Description :Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin token can craft a user-token payload with admin: true, sign it using HMAC-SHA256, and present it to admin-only coordinator routes to gain full coordinator admin access including lease visibility, pool state management, and forced release operations.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-8344 – D-Link DIR-816 formDMZ.cgi sub_445E7C command injection

CVE-2026-42188 – Geyser: Server-Side Request Forgery (SSRF) via Player Head Texture URL

CVE-2026-42046 – libcaca: Heap OOB write in canvas import functions caused by int overflow

CVE-2026-43874 – WWBN AVideo: Incomplete Fix for YPTSocket autoEvalCodeOnHTML Strip: Unauthenticated Cross-User JavaScript Execution via `$msg[‘json’]` Relay Bypass