📄 Description (English)
Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions.
🤖 AI Executive Summary
CVE-2026-8629 is a privilege escalation vulnerability in Crabbox prior to v0.12.0 that allows visibility-only users to obtain sensitive agent tickets (Code, WebVNC, Egress) through insufficient access control checks. Attackers can impersonate trusted bridges and gain unauthorized access to lease resources. With a CVSS score of 8.1 and no patch currently available, this poses a significant risk to organizations using Crabbox for infrastructure management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 20, 2026 05:20
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using Crabbox for cloud infrastructure, container orchestration, or virtualization management. Most at-risk sectors include: (1) Government agencies and NCA-regulated entities managing critical infrastructure; (2) Banking and financial institutions (SAMA-regulated) using Crabbox for secure resource isolation; (3) Telecommunications providers (STC, Mobily) managing network infrastructure; (4) Energy sector organizations (ARAMCO, SEC) operating critical systems; (5) Healthcare providers managing patient data systems. The privilege escalation allows attackers to bypass access controls and potentially access sensitive operational data, compromise system integrity, and establish persistent access to critical infrastructure.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Telecommunications
Energy and Utilities
Healthcare
Cloud Infrastructure Providers
Data Centers
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1078 - Valid Accounts
T1078.001 - Valid Accounts: Default Accounts
T1087 - Account Discovery
T1110 - Brute Force
T1133 - External Remote Services
T1199 - Trusted Relationship
T1021 - Remote Service Session Initiation
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all Crabbox instances in your environment and document their versions
2. Restrict network access to Crabbox API endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket) using firewall rules and WAF policies
3. Audit all user accounts with visibility-only permissions and review their recent API access logs
4. Revoke any suspicious or unexplained agent tickets (Code, WebVNC, Egress)
5. Monitor for POST requests to affected endpoints from non-admin accounts
Compensating Controls (until patch available):
6. Implement strict role-based access control (RBAC) at the application level
7. Deploy API gateway with request validation to block unauthorized POST requests to ticket endpoints
8. Enable comprehensive API logging and alerting for all ticket generation requests
9. Implement network segmentation to isolate Crabbox infrastructure
10. Require multi-factor authentication for all administrative access
Detection Rules:
11. Alert on POST requests to /v1/leases/*/ticket endpoints from non-privileged users
12. Monitor for rapid successive ticket requests from single user accounts
13. Track bridge impersonation attempts through agent ticket validation logs
14. Flag any visibility-only user accounts attempting to access Code, WebVNC, or Egress resources
Patching:
15. Subscribe to Crabbox security advisories and upgrade to v0.12.0 or later immediately upon release
16. Test patches in non-production environments before deployment
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع مثيلات Crabbox في بيئتك وقم بتوثيق إصداراتها
2. قيد الوصول إلى نقاط نهاية API الخاصة بـ Crabbox باستخدام قواعد جدار الحماية وسياسات WAF
3. قم بمراجعة جميع حسابات المستخدمين التي لديها أذونات عرض فقط وراجع سجلات وصول API الخاصة بهم مؤخراً
4. قم بإلغاء أي تذاكر وكيل مريبة أو غير مشروحة (Code و WebVNC و Egress)
5. راقب طلبات POST إلى النقاط النهائية المتأثرة من حسابات غير إدارية
الضوابط التعويضية (حتى توفر التصحيح):
6. تنفيذ التحكم في الوصول القائم على الأدوار الصارمة (RBAC) على مستوى التطبيق
7. نشر بوابة API مع التحقق من الطلبات لحظر طلبات POST غير المصرح بها إلى نقاط نهاية التذاكر
8. تفعيل تسجيل شامل للـ API والتنبيهات لجميع طلبات إنشاء التذاكر
9. تنفيذ تقسيم الشبكة لعزل بنية Crabbox التحتية
10. طلب المصادقة متعددة العوامل لجميع الوصول الإداري
قواعد الكشف:
11. تنبيه على طلبات POST إلى نقاط نهاية /v1/leases/*/ticket من المستخدمين غير المميزين
12. مراقبة طلبات التذاكر المتتالية السريعة من حسابات مستخدم واحد
13. تتبع محاولات انتحال الجسور من خلال سجلات التحقق من تذاكر الوكيل
14. وضع علامة على أي حسابات مستخدم برؤية فقط تحاول الوصول إلى موارد Code أو WebVNC أو Egress
التصحيح:
15. اشترك في تنبيهات أمان Crabbox وقم بالترقية إلى الإصدار v0.12.0 أو أحدث فوراً عند الإصدار
16. اختبر التصحيحات في بيئات غير الإنتاج قبل النشر
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Access Control Policy (insufficient access control checks)
ECC 2024 A.5.2.1 - User Registration and Access Rights Management
ECC 2024 A.5.3.1 - Management of Privileged Access Rights
ECC 2024 A.8.2.1 - User Access Management
ECC 2024 A.9.2.1 - User Access Management (privilege escalation)
🔵 SAMA CSF
SAMA CSF ID.AM-1 - Asset Management (inventory of Crabbox instances)
SAMA CSF AC-2 - Access Control (insufficient access controls)
SAMA CSF AC-3 - Separation of Duties (privilege escalation bypass)
SAMA CSF DE-1 - Detection and Analysis (monitoring for exploitation)
SAMA CSF RS-1 - Response Planning (incident response procedures)
🟡 ISO 27001:2022
ISO 27001:2022 A.5.2 - Information security policies and procedures
ISO 27001:2022 A.6.2 - Internal organization (access control responsibilities)
ISO 27001:2022 A.8.2 - Asset management
ISO 27001:2022 A.9.1 - Access control policy
ISO 27001:2022 A.9.2 - User access management
ISO 27001:2022 A.9.4 - Access rights review
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Restrict access to system components by business need to know
PCI DSS 7.1 - Limit access to system components by business need to know
PCI DSS 8.1 - Assign unique ID to each person with computer access
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://github.com/openclaw/crabbox/commit/95cb30dc7dbaa1fef690a42ef6ac1cb6e307a191
disclosure@vulncheck.com
https://github.com/openclaw/crabbox/pull/71
disclosure@vulncheck.com
https://github.com/openclaw/crabbox/releases/tag/v0.12.0
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/crabbox-privilege-escalation-via-agent-ticket-endp...
disclosure@vulncheck.com
https://github.com/openclaw/crabbox/pull/71
134c704f-9b21-4f2e-91b3-4a467353bcc0