An issue in spidernet-io spiderpool v.0.9.3 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component.
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.