CVE-2026-45223

Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin...

CVE-2026-45223

Crabbox prior to 0.9.0 contains an authentication bypass in the coordinator’s user-token verification path. The verifyUserToken() function fails to reject payloads with an admin: true claim, enabling an attacker with access to a non-admin token to craft a user-token payload, sign it with HMAC-SHA...

CVE-2026-45223 Crabbox < 0.9.0 Authentication Bypass via Admin Claim Injection

Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the shared non-admin...

Crabbox 安全漏洞

Crabbox is an open-source remote code execution and test environment management tool developed by OpenClaw. Versions of Crabbox prior to 0.9.0 contained security vulnerabilities. These vulnerabilities stemmed from a certification bypass in the coordinator’s user token verification process. The...

CVE-2025-61152

python-jose thru 3.3.0 allows JWT tokens with 'alg=none' to be decoded and accepted without any cryptographic signature verification. A malicious actor can craft a forged token with arbitrary claims e.g., isadmin=true and bypass authentication checks, leading to privilege escalation or unauthoriz...

CVE-2025-61152

The vulnerability CVE-2025-61152 affects python-jose up to version 3.3.0. It allows JWT tokens signed with alg=none to be decoded and accepted without cryptographic signature verification, enabling a forged token with arbitrary claims (e.g., is_admin=true) and bypassing authentication in applicat...

In consistent parameters settings can break the business logic

Lines of code Vulnerability details Impact The usual business logic of the raffle should be that: If a user wins a raffle, he can always claim the NFT before a redraw can be initialized. However, the settings parameters can be set to inconsistent so that a winner may not be able to claim the NFT...

User will lose rewards

Lines of code Vulnerability details Impact User will lose there rewards even when vesting period has completed. Also the reward will get stuck in the contract with no one able to retrieve them Proof of Concept 1. Admin creates a new claim using createClaim function function createClaim address...