VYPR
High severity7.1NVD Advisory· Published May 11, 2026· Updated May 12, 2026

CVE-2026-45224

CVE-2026-45224

Description

Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with traversal sequences to cause arbitrary file deletion and overwrite when sync.delete is enabled, as the workspace preparation logic executes rm -rf and mkdir -p operations on the resolved path without proper validation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/openclaw/crabboxGo
< 0.9.00.9.0

Affected products

2
  • OpenClaw/Crabboxreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <0.9.0

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.