Skip to main content

Crabbox

5 CVEs product

Monthly

CVE-2026-8634 Go CRITICAL PATCH GHSA Act Now

Crabbox versions before 0.12.0 leak local secrets through environment variable forwarding during remote command execution. When users run commands against malicious or compromised repositories, attackers exploit overly permissive environment variable allowlisting in repository-local configuration files to exfiltrate API tokens, cloud credentials, and broker tokens into the remote execution environment. The vendor released v0.12.0 on May 12, 2026 with fixes including `--allow-env` explicit allowlisting and `--env-from-profile` for safer secret forwarding. No public exploit identified at time of analysis, though the attack surface is straightforward for attackers controlling repository configuration.

Code Injection RCE Crabbox
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-8629 HIGH PATCH This Week

Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.

Authentication Bypass Privilege Escalation Crabbox
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-8621 Go HIGH PATCH GHSA This Week

Authentication bypass in Crabbox versions prior to v0.12.0 allows authenticated attackers with shared-token access to impersonate arbitrary owners or organizations. By injecting crafted X-Crabbox-Owner and X-Crabbox-Org headers in API requests, attackers can bypass authorization checks and gain full access to victim lease operations across organizational boundaries. VulnCheck reported this vulnerability, and a vendor-released patch is available in version v0.12.0. CVSS 8.7 (High) reflects network-accessible exploitation with low privileges required, high impact to confidentiality, integrity, and availability within the vulnerable component scope.

Authentication Bypass Crabbox
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-45224 Go MEDIUM PATCH This Month

Path traversal in Crabbox <0.9.0 allows local attackers to delete or overwrite arbitrary files via malicious .crabbox.yaml configuration. When a user executes Crabbox commands with a crafted workspace configuration containing directory traversal sequences (e.g., '../../../'), the Islo provider performs rm -rf and mkdir -p on attacker-controlled paths outside /workspace. Patch available in v0.9.0 (commit 6b07193). No KEV listing or public POC identified, but exploitation requires only user interaction (opening/running a malicious project), not authentication or special privileges.

Path Traversal Crabbox
NVD GitHub
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-45223 HIGH PATCH This Week

Authentication bypass in Crabbox coordinator allows privilege escalation to full admin access. Attackers holding valid low-privilege user tokens can inject an admin claim into the token payload, sign it with HMAC-SHA256, and authenticate to admin-restricted coordinator endpoints. This grants unauthorized access to lease visibility across all users, pool state management, and forced release operations. Patch available in version 0.9.0 with upstream commit confirmed. No active exploitation (CISA KEV) or public POC identified at time of analysis, but CVSS 8.8 reflects network-accessible attack with low complexity once initial authentication is obtained.

Authentication Bypass Crabbox
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Crabbox versions before 0.12.0 leak local secrets through environment variable forwarding during remote command execution. When users run commands against malicious or compromised repositories, attackers exploit overly permissive environment variable allowlisting in repository-local configuration files to exfiltrate API tokens, cloud credentials, and broker tokens into the remote execution environment. The vendor released v0.12.0 on May 12, 2026 with fixes including `--allow-env` explicit allowlisting and `--env-from-profile` for safer secret forwarding. No public exploit identified at time of analysis, though the attack surface is straightforward for attackers controlling repository configuration.

Code Injection RCE Crabbox
NVD GitHub
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Privilege escalation in Crabbox versions prior to v0.12.0 allows authenticated users with visibility-only permissions to escalate privileges and obtain code execution, remote desktop access, and data exfiltration capabilities. By directly invoking three unprotected ticket-generation endpoints (/v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, /v1/leases/:id/egress/ticket), attackers can obtain bridge-agent credentials and impersonate trusted lease-side bridges, bypassing intended read-only access restrictions. The vulnerability was patched in v0.12.0 (commit 95cb30dc) following VulnCheck disclosure. CVSS 8.6 (High) reflects network-accessible exploitation requiring only low-privilege authentication with low attack complexity. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though the attack is straightforward for authenticated insiders.

Authentication Bypass Privilege Escalation Crabbox
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Authentication bypass in Crabbox versions prior to v0.12.0 allows authenticated attackers with shared-token access to impersonate arbitrary owners or organizations. By injecting crafted X-Crabbox-Owner and X-Crabbox-Org headers in API requests, attackers can bypass authorization checks and gain full access to victim lease operations across organizational boundaries. VulnCheck reported this vulnerability, and a vendor-released patch is available in version v0.12.0. CVSS 8.7 (High) reflects network-accessible exploitation with low privileges required, high impact to confidentiality, integrity, and availability within the vulnerable component scope.

Authentication Bypass Crabbox
NVD GitHub
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Path traversal in Crabbox <0.9.0 allows local attackers to delete or overwrite arbitrary files via malicious .crabbox.yaml configuration. When a user executes Crabbox commands with a crafted workspace configuration containing directory traversal sequences (e.g., '../../../'), the Islo provider performs rm -rf and mkdir -p on attacker-controlled paths outside /workspace. Patch available in v0.9.0 (commit 6b07193). No KEV listing or public POC identified, but exploitation requires only user interaction (opening/running a malicious project), not authentication or special privileges.

Path Traversal Crabbox
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Authentication bypass in Crabbox coordinator allows privilege escalation to full admin access. Attackers holding valid low-privilege user tokens can inject an admin claim into the token payload, sign it with HMAC-SHA256, and authenticate to admin-restricted coordinator endpoints. This grants unauthorized access to lease visibility across all users, pool state management, and forced release operations. Patch available in version 0.9.0 with upstream commit confirmed. No active exploitation (CISA KEV) or public POC identified at time of analysis, but CVSS 8.8 reflects network-accessible attack with low complexity once initial authentication is obtained.

Authentication Bypass Crabbox
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy