Which versions of Crabbox are affected by CVE-2026-8634?

Crabbox versions before 0.12.0 expose API tokens, cloud credentials, and broker tokens through overly permissive environment variable forwarding during remote command execution against repositories.. A patch is available.

How to fix or mitigate CVE-2026-8634?

Within 24 hours: Inventory all Crabbox deployments and identify current versions in use. Within 7 days: Upgrade all instances to Crabbox v0.12.0 or later; implement `--allow-env` explicit allowlisting in configuration and review existing repository configurations for overly permissive settings. Within 30 days: Audit environment variable exposure in historical logs, rotate all credentials (API tokens, cloud credentials, broker tokens) that may have been forwarded to remote environments, and conduct security training on repository trust practices.

Crabbox CVE-2026-8634

Q: What is the CVSS score of CVE-2026-8634?

CVE-2026-8634 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-30418 CRITICAL

Code Injection (CWE-94)

2026-05-14 VulnCheck

GHSA-fm77-94qm-4894

RCE Code Injection

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 14, 2026 - 20:28 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 14, 2026 - 20:22 vuln.today

cvss_changed

CVSS changed

May 14, 2026 - 20:22 NVD

9.1 (CRITICAL) 9.3 (CRITICAL)

Source Code Evidence Fetched

May 14, 2026 - 19:47 vuln.today

Analysis Generated

May 14, 2026 - 19:47 vuln.today

CVE Published

May 14, 2026 - 19:18 nvd

CRITICAL 9.1

DescriptionNVD

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit overly permissive environment variable allowlisting in repo-local Crabbox configuration to serialize sensitive environment variables into remote command execution, exposing credentials to the remote environment.

AnalysisAI

Crabbox versions before 0.12.0 leak local secrets through environment variable forwarding during remote command execution. When users run commands against malicious or compromised repositories, attackers exploit overly permissive environment variable allowlisting in repository-local configuration files to exfiltrate API tokens, cloud credentials, and broker tokens into the remote execution environment. …

RemediationAI

Within 24 hours: Inventory all Crabbox deployments and identify current versions in use. Within 7 days: Upgrade all instances to Crabbox v0.12.0 or later; implement --allow-env explicit allowlisting in configuration and review existing repository configurations for overly permissive settings. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-8634 vulnerability details – vuln.today

Back

Crabbox CVE-2026-8634

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Crabbox CVE-2026-8634

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code