Crabbox < 0.9.0 Path Traversal via Islo Provider Workspace Resolution

Advisories

severity: medium
date: 5/11/2026
Affecting: Crabbox < 0.9.0
CVE: CVE-2026-45224
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS: 6.8
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References: Release Notes
Pull Request
Patch Commit
Credit: Chia Min Jun Lennon
Description: Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with traversal sequences to cause arbitrary file deletion and overwrite when sync.delete is enabled, as the workspace preparation logic executes rm -rf and mkdir -p operations on the resolved path without proper validation.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo