CVE-2026-8634CRITICAL 9.1EPSS p49.8%

CVE-2026-8634CVE-2026-8634

Description

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit overly permissive environment variable allowlisting in repo-local Crabbox configuration to serialize sensitive environment variables into remote command execution, exposing credentials to the remote environment.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.74% probability of exploitation · percentile 49.8% · 2026-06-19T12:03:05Z
Published2026-05-14
Last modified2026-05-15

Underlying weaknesses· 1

CWE-94

References

  1. https://github.com/openclaw/crabbox/commit/eaae40ae4ce009e60633f16f7f19600c74557f6f
  2. https://github.com/openclaw/crabbox/pull/78
  3. https://github.com/openclaw/crabbox/releases/tag/v0.12.0
  4. https://www.vulncheck.com/advisories/crabbox-environment-variable-information-disclosure
  5. https://github.com/openclaw/crabbox/pull/78

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-8621
CVE
CVE-2026-8629
CVE
CVE-2026-45223
CVE
CVE-2026-35650
CVE
CVE-2026-43531
CVE
CVE-2026-41294
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.