Path Traversal Vulnerability in Crabbox by Openclaw
CVE-2026-45224

6.8MEDIUM

Key Information:

Vendor

Openclaw

Status
Crabbox
Vendor
CVE Published:
11 May 2026

What is CVE-2026-45224?

Crabbox prior to version 0.9.0 is susceptible to a path traversal vulnerability due to improper handling of workspace path resolution in the Islo provider. Attackers can exploit this flaw by supplying crafted file paths in malicious .crabbox.yaml files. This exploitation could lead to severe consequences, including unauthorized access to files outside the designated /workspace directory, and potential arbitrary file deletion or overwriting when the sync.delete operation is enabled. The flaw arises because the application's path verification lacks adequate validation mechanisms during directory preparation, allowing for execution of potentially harmful rm -rf and mkdir -p commands on affected file paths.

Affected Version(s)

crabbox 0

crabbox 0 < 0.9.0

crabbox 6b07193fb5670aac315ea47215651c67b8127868

References

https://github.com/openclaw/crabbox/releases/tag/v0.9.0
release-notes
https://github.com/openclaw/crabbox/pull/65
issue-tracking
https://github.com/openclaw/crabbox/commit/6b07193fb5670a...
patch

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.