Crabbox Path Traversal (CVE-2026-45224) Enables Arbitrary File Deletion

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitypath-traversalcwe-22
Crabbox Path Traversal (CVE-2026-45224) Enables Arbitrary File Deletion

The National Vulnerability Database has disclosed CVE-2026-45224, a high-severity path traversal vulnerability in Crabbox before version 0.9.0. This flaw resides within the Islo provider’s workspace path resolution, allowing attackers to manipulate paths to resolve outside the intended /workspace directory.

Attackers can craft malicious .crabbox.yaml or crabbox.yaml files containing traversal sequences. If the sync.delete option is enabled, the workspace preparation logic — which executes rm -rf and mkdir -p operations without proper path validation — will cause arbitrary file deletion and overwriting. This isn’t just a theoretical bug; it’s a direct path to system compromise through data destruction or manipulation.

With a CVSS score of 7.1 (HIGH), this vulnerability poses a significant risk. The attacker’s calculus is straightforward: leverage a seemingly innocuous configuration file to achieve impactful filesystem operations. Defenders need to understand that this isn’t about code execution directly, but about achieving destructive impact via misconfigured or vulnerable file operations.

What This Means For You

  • If your organization uses Crabbox, you need to immediately check your version. Upgrade to Crabbox 0.9.0 or later to patch CVE-2026-45224. Furthermore, review your `sync.delete` configurations and ensure robust input validation for any user-supplied paths in CI/CD pipelines or automated deployment scripts that interact with Crabbox.

Indicators of Compromise

IDTypeIndicator
CVE-2026-45224 Path Traversal Crabbox before 0.9.0
CVE-2026-45224 Path Traversal Islo provider's workspace path resolution
CVE-2026-45224 Arbitrary File Deletion malicious .crabbox.yaml or crabbox.yaml file with traversal sequences when sync.delete is enabled
CVE-2026-45224 Arbitrary File Overwrite malicious .crabbox.yaml or crabbox.yaml file with traversal sequences when sync.delete is enabled

Written by SCW Vulnerability Desk

🔎
Track Critical Vulnerabilities Use /brief to get an analyst-ready weekly threat summary with severity rankings.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 11, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8321: Inkeep Agents Authentication Bypass Vulnerability

CVE-2026-8321 — A vulnerability was detected in inkeep agents 0.58.14. This vulnerability affects the function createDevContext of the file agents-api/src/middleware/runAuth.ts of the component runAuth Middleware....

vulnerabilityCVEhigh-severityauthentication-bypasscwe-287cwe-288
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8320 — Jishenghua JshERP Server-Side Request Forgery

CVE-2026-8320 — A security vulnerability has been detected in jishenghua jshERP up to 3.6. This affects the function getUserByWeixinCode of the file jshERP-boot/src/main/java/com/jsh/erp/service/UserService.java of the...

vulnerabilityCVEmedium-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to

CVE-2026-8319 — A weakness has been identified in aiwaves-cn agents up to e8c4e3c2d19739d3dff59e577d1c97090cc15f59. Affected by this issue is the function recall_relevant_memories_to_working_memory of the file core/cat/looking_glass/stray_cat.py...

vulnerabilityCVEmedium-severitycwe-400cwe-404
/SCW Vulnerability Desk /MEDIUM /5.3 /⚑ 3 IOCs /⚙ 2 Sigma