CVE-2026-45224
Path Traversal in Crabbox Before 0.9.0
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | crabbox | to 0.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45224 is a path traversal vulnerability in the Crabbox project's Islo provider before version 0.9.0. It occurs because the workspace path resolution does not properly validate paths, allowing attackers to supply absolute or relative paths that escape the intended /workspace directory.
Attackers can craft malicious configuration files (.crabbox.yaml or crabbox.yaml) containing traversal sequences (like "../") that cause the system to delete or overwrite arbitrary files when the sync.delete feature is enabled. This happens because the workspace preparation logic executes commands like rm -rf and mkdir -p on the resolved path without proper validation.
The vulnerability is classified under CWE-22, which relates to improper limitation of a pathname to a restricted directory.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to delete or overwrite arbitrary files on the system where Crabbox is running, potentially leading to data loss or system instability.
Exploitation requires a user to run Crabbox from a repository containing a malicious configuration file that leverages the path traversal flaw.
If exploited, it could result in unauthorized modification or deletion of sensitive files outside the intended workspace directory, which may compromise system integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for malicious .crabbox.yaml or crabbox.yaml files that contain path traversal sequences in the Islo provider's workspace path configuration.
Specifically, you should look for configuration files that specify absolute paths or relative paths that escape the intended /workspace directory.
Since the vulnerability is related to path traversal in configuration files, you can search for suspicious path patterns such as '../' or absolute paths in these files.
- Use commands like `grep -rE 'workdir:.*(/|\.\./)' /path/to/repositories` to find workdir entries with absolute or traversal paths.
- Check for the presence of .crabbox.yaml or crabbox.yaml files containing suspicious path entries.
- Monitor for unexpected file deletions or modifications in directories outside /workspace, especially if sync.delete is enabled.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Crabbox to version 0.9.0 or later, where the Islo provider includes validation to prevent path traversal.
The fix enforces that the workspace path is strictly contained within the /workspace directory by rejecting absolute paths and directory traversal sequences.
Additionally, review and sanitize any existing .crabbox.yaml or crabbox.yaml files to ensure they do not contain absolute or traversal paths in the workdir configuration.
If possible, disable the sync.delete feature until the environment is confirmed safe, as this feature enables the destructive rm -rf operations exploited by this vulnerability.
Implement monitoring to detect unauthorized file deletions or modifications outside the intended workspace.