CVE 9.3 CRITICAL

Crabbox < v0.12.0 Environment Variable Information Disclosure_CVE-2026-8634

May 14, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit overly permissive environment variable allowlisting in repo-local Crabbox configuration to serialize sensitive environment variables into remote command execution, exposing credentials to the remote environment.

AI Analysis

Environment variable exposure vulnerability in Crabbox prior to v0.12.0

Basic Information

ID CVE-2026-8634

Source VulnCheck

Published May 14, 2026 at 19:18

Affected Product

Vendor openclaw

Product crabbox

Affected Versions openclaw crabbox 0

CWE Classification

CWE-94

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor openclaw

Product crabbox

Version < v0.12.0

References

{
    "lastseen": "",
    "description": "Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit overly permissive environment variable allowlisting in repo-local Crabbox configuration to serialize sensitive environment variables into remote command execution, exposing credentials to the remote environment.",
    "published": "2026-05-14T19:18:31.370Z",
    "modified": "2026-05-14T19:18:31.370Z",
    "type": "cve",
    "title": "Crabbox < v0.12.0 Environment Variable Information Disclosure",
    "source": "VulnCheck",
    "references": "https://github.com/openclaw/crabbox/releases/tag/v0.12.0\nhttps://github.com/openclaw/crabbox/pull/78\nhttps://github.com/openclaw/crabbox/commit/eaae40ae4ce009e60633f16f7f19600c74557f6f\nhttps://www.vulncheck.com/advisories/crabbox-environment-variable-information-disclosure",
    "id": "CVE-2026-8634",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "openclaw crabbox 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "crabbox",
    "version": "0",
    "vendor": "openclaw",
    "ai_description": "Environment variable exposure vulnerability in Crabbox prior to v0.12.0",
    "ai_severity": "Critical",
    "ai_vendor": "openclaw",
    "ai_product": "crabbox",
    "ai_version": "< v0.12.0",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply