CVE Catalog

CVE-2026-8634

Critical
Published: Translated: NVD NIST

Summary

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment.

Risk Assessment

Attackers can exploit overly permissive environment variable allowlisting in repo-local Crabbox configuration to serialize sensitive environment variables into remote command execution, exposing credentials to the remote environment.

Recommendation

It is recommended to update Crabbox to version v0.12.0 or later and review environment variable policies in repository configurations to minimize the risk of credential exposure.

Original NVD description (English source)

Crabbox prior to v0.12.0 contains an environment variable exposure vulnerability that allows attackers with access to a malicious or compromised repository to forward local secrets such as API tokens, cloud credentials, and broker tokens into the remote command environment. Attackers can exploit overly permissive environment variable allowlisting in repo-local Crabbox configuration to serialize sensitive environment variables into remote command execution, exposing credentials to the remote environment.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS