CVE-2026-8634— Crabbox < v0.12.0 Environment Variable Information Disclosure
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8634
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Crabbox < v0.12.0 Environment Variable Information Disclosure
Source: NVD (National Vulnerability Database)
Vulnerability Description
Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit overly permissive environment variable allowlisting in repo-local Crabbox configuration to serialize sensitive environment variables into remote command execution, exposing credentials to the remote environment.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Crabbox 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Crabbox是openclaw开源的一个远程代码执行与测试环境管理工具。 Crabbox 0.12.0之前版本存在代码注入漏洞,该漏洞源于环境变量允许列表过于宽松,可能导致访问恶意或受损仓库的攻击者将本地机密(如API令牌、云凭证和代理令牌)转发到远程命令环境,从而将敏感环境变量序列化到远程命令执行中,暴露凭证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-8634
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 8139 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-8634
请登录查看更多情报信息。
- https://github.com/openclaw/crabbox/pull/78issue-tracking
- https://nvd.nist.gov/vuln/detail/CVE-2026-8634
Same Patch Batch · openclaw · 2026-05-14 · 3 CVEs total
| CVE-2026-8621 | 8.8 HIGH | Crabbox < v0.12.0 Authentication Bypass via Header Spoofing |
| CVE-2026-8629 | 8.1 HIGH | Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endpoints |
IV. Related Vulnerabilities
Same product: crabbox
Same vendor: openclaw
- CVE-2026-8629
Crabbox < v0.12.0 Privilege Escalation via Agent Ticket Endp - CVE-2026-8621
Crabbox < v0.12.0 Authentication Bypass via Header Spoofing - CVE-2026-45224
Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace R - CVE-2026-45223
Crabbox < 0.9.0 Authentication Bypass via Admin Claim Inject - CVE-2026-45006
OpenClaw < 2026.4.23 - Unsafe Config Mutation via Gateway To
Same weakness: CWE-94
- CVE-2026-8838
Remote Code Execution via eval() Injection in amazon-redshif - CVE-2026-45829
ChromaDB <=1.0.0 代码注入漏洞 - CVE-2026-6902
Code Injection in Perforce P4 (Helix Core) - CVE-2018-25320
ACL Analytics 11.x - 13.0.0.579 Arbitrary Code Execution - CVE-2021-47952
python jsonpickle 2.0.0 Remote Code Execution via py/repr
V. Comments for CVE-2026-8634
No comments yet