Environment Variable Exposure in Crabbox by OpenClaw
CVE-2026-8634

9.3CRITICAL

Key Information:

Vendor: Openclaw
Status: Crabbox
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-8634?

Crabbox versions before v0.12.0 contain a vulnerability that exposes environment variables to potential attackers with access to a compromised repository. This flaw arises from overly permissive allowlisting of environment variables, enabling attackers to serialize sensitive data such as API tokens and cloud credentials into remote command execution contexts. As a result, this creates pathways for unauthorized access to critical secrets that should remain confidential.

Affected Version(s)

crabbox 0

crabbox 0 < 0.12.0

crabbox eaae40ae4ce009e60633f16f7f19600c74557f6f

References

https://github.com/openclaw/crabbox/releases/tag/v0.12.0

release-notes

https://github.com/openclaw/crabbox/pull/78

issue-tracking

https://github.com/openclaw/crabbox/commit/eaae40ae4ce009...

patch

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
May 14, 2026

Credit

Chia Min Jun Lennon

CVE-2026-8634 Data

JSON

Openclaw

What is CVE-2026-8634?

Affected Version(s)

References

CVSS V4

Timeline

Credit