CVE-2026-8621

Severity CVSS v4.0:
HIGH
Type:
CWE-287 Authentication Issues
Publication date:
14/05/2026
Last modified:
15/05/2026

Description

Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token to bypass authorization checks and access owner/org-scoped lease operations belonging to victim accounts.