VYPR

Crabbox

by OpenClaw

Source repositories

CVEs (5)

  • CVE-2026-8634CriMay 14, 2026
    risk 0.52cvss 9.1epss 0.01

    Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment.…

  • CVE-2026-8621HigMay 14, 2026
    risk 0.50cvss 8.8epss 0.00

    Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests…

  • CVE-2026-45223HigMay 11, 2026
    risk 0.50cvss 8.8epss 0.00

    Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing an admin claim, allowing attackers to escalate privileges. An attacker with access to the…

  • CVE-2026-8629HigMay 14, 2026
    risk 0.46cvss 8.1epss 0.00

    Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on…

  • CVE-2026-45224HigMay 11, 2026
    risk 0.39cvss 7.1epss 0.00

    Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or…