PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8634 openclaw CVE debrief

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. The vulnerability is caused by overly permissive environment variable allowlisting in repo-local Crabbox configuration, which can be exploited by attackers to serialize sensitive environment variables into remote command execution, exposing credentials to the remote environment. Users of Crabbox versions prior to v0.12.0 should review their configurations and update to the latest version to prevent potential exposure of sensitive environment variables.

Vendor
openclaw
Product
crabbox
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-14
Original CVE updated
2026-07-14
Advisory published
2026-05-14
Advisory updated
2026-07-14

Who should care

Users of Crabbox versions prior to v0.12.0 should review their configurations and update to the latest version to prevent potential exposure of sensitive environment variables. This includes operators managing affected deployments, platform administrators responsible for environment variable configurations, vulnerability management teams assessing exposure, and security teams monitoring for suspicious activity related to environment variable usage.

Technical summary

The Crabbox environment variable exposure vulnerability allows attackers to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. This is possible due to overly permissive environment variable allowlisting in repo-local Crabbox configuration, which can be exploited by attackers with access to a malicious or compromised repository. The vulnerability affects Crabbox versions prior to v0.12.0 and can be mitigated by updating to the latest version and reviewing configurations to ensure only necessary environment variables are exposed.

Defensive priority

Highly Critical

Recommended defensive actions

  • Review and update Crabbox configurations to ensure only necessary environment variables are exposed
  • Implement strict access controls for repositories to prevent malicious or compromised repository access
  • Monitor environment variable usage and logs for suspicious activity
  • Consider implementing compensating controls such as secret management solutions
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed

Evidence notes

The CVE record was published on 2026-05-14T20:17:21.717Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The Crabbox environment variable exposure vulnerability allows attackers to forward local secrets into the remote command environment. This is possible due to overly permissive environment variable allowlisting in repo-local Crabbox configuration.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-05-14T20:17:21.717Z and has not been modified since then. The NVD entry is currently Deferred.