PT-2026-41031 · Crabbox · Crabbox

Published

2026-05-14

·

Updated

2026-06-25

·

CVE-2026-8634

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Crabbox versions prior to 0.12.0
Description An environment variable exposure issue allows attackers with access to a malicious or compromised repository to forward local secrets, such as API tokens, cloud credentials, and broker tokens, into the remote command environment. This occurs due to overly permissive environment variable allowlisting in the repo-local configuration, which enables the serialization of sensitive environment variables into remote command execution, thereby exposing credentials to the remote environment.
Recommendations Update to version 0.12.0 or later.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8634
GHSA-FM77-94QM-4894
GO-2026-5369

Affected Products

Crabbox