QwikSec

Security Database

CVE

CWE

Training

CVE-2026-45224

Published: May 11, 2026

Modified: May 12, 2026

PUBLISHED

CVSS v3.1

7.1

HIGH

Description

Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with traversal sequences to cause arbitrary file deletion and overwrite when sync.delete is enabled, as the workspace preparation logic executes rm -rf and mkdir -p operations on the resolved path without proper validation.

Vendor	Product	Versions
openclaw	crabbox	affected `0 - < 0.9.0` unaffected `6b07193fb5670aac315ea47215651c67b8127868`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

High

References

https://github.com/openclaw/crabbox/releases/tag/v0.9.0

release-notes

https://github.com/openclaw/crabbox/pull/65

issue-tracking

https://github.com/openclaw/crabbox/commit/6b07193fb5670aac315ea47215651c67b8127868

patch

https://www.vulncheck.com/advisories/crabbox-path-traversal-via-islo-provider-workspace-resolution

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.