Description
Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with traversal sequences to cause arbitrary file deletion and overwrite when sync.delete is enabled, as the workspace preparation logic executes rm -rf and mkdir -p operations on the resolved path without proper validation.
Published: 2026-05-11
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Crabbox before version 0.9.0 allows attackers to craft a malicious configuration file that contains path traversal sequences. The vulnerable workspace resolution improperly validates absolute or relative paths, enabling the program to delete or overwrite arbitrary files on the host system when sync.delete is enabled. This flaw could result in loss of critical data or system files, leading to denial of service or compromise of configuration integrity.

Affected Systems

OpenClaw Crabbox in all releases prior to 0.9.0. The vulnerability applies to any deployment of Crabbox that processes external .crabbox.yaml or crabbox.yaml files and uses the Islo provider for workspace preparation.

Risk and Exploitability

The CVSS score of 6.8 indicates a moderate to high severity. The EPSS score is not available. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote: an attacker can supply a crafted configuration file through any interface that accepts .crabbox.yaml payloads. Once processed and if sync.delete is active, the attacker’s payload will execute filesystem operations outside the intended workspace, leading to arbitrary file deletion or overwrite.

Generated by OpenCVE AI on May 11, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Crabbox to version 0.9.0 or later; this patch removes the path traversal flaw in the workspace resolution.
  • If an upgrade cannot yet be applied, disable the sync.delete feature to prevent the dangerous rm -rf and mkdir -p operations from executing.
  • Implement input validation or sandboxing for any process that accepts .crabbox.yaml files, ensuring that resolved paths are confined to the /workspace directory.

Generated by OpenCVE AI on May 11, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3cjv-h753-qf7h Crabbox contains a path traversal vulnerability in the Islo provider's workspace path resolution
History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Openclaw
Openclaw crabbox
Vendors & Products Openclaw
Openclaw crabbox

Mon, 11 May 2026 18:45:00 +0000

Type Values Removed Values Added
Description Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with traversal sequences to cause arbitrary file deletion and overwrite when sync.delete is enabled, as the workspace preparation logic executes rm -rf and mkdir -p operations on the resolved path without proper validation.
Title Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace Resolution
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Crabbox
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T16:22:10.898Z

Reserved: 2026-05-11T14:14:49.611Z

Link: CVE-2026-45224

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T19:16:28.297

Modified: 2026-05-12T14:47:42.170

Link: CVE-2026-45224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:22:34Z

Weaknesses