What is GHSA-3cjv-h753-qf7h?

GHSA-3cjv-h753-qf7h is a security advisory published by GitHub Security Advisories with Medium severity. Crabbox contains a path traversal vulnerability in the Islo provider's workspace path resolution

Which CVE IDs does GHSA-3cjv-h753-qf7h cover?

GHSA-3cjv-h753-qf7h covers the following CVE IDs: CVE-2026-45224. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-3cjv-h753-qf7h?

GHSA-3cjv-h753-qf7h has a CVSS v3 base score of 7.1, published by GitHub Security Advisories.

Which products are affected by GHSA-3cjv-h753-qf7h?

GHSA-3cjv-h753-qf7h affects 1 product, including: go/github.com/openclaw/crabbox:\u003c 0.9.0.

GHSA-3cjv-h753-qf7hMediumCVSS 7.1

Crabbox contains a path traversal vulnerability in the Islo provider's workspace path resolution

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

May 18, 2026

🔗 CVE IDs covered (1)

CVE-2026-45224 →

📋 Description

Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative paths that resolve outside the intended /workspace directory. Attackers can craft a malicious .crabbox.yaml or crabbox.yaml file with traversal sequences to cause arbitrary file deletion and overwrite when sync.delete is enabled, as the workspace preparation logic executes rm -rf and mkdir -p operations on the resolved path without proper validation.

🎯 Affected products1

go/github.com/openclaw/crabbox:< 0.9.0

🔗 References (6)

https://nvd.nist.gov/vuln/detail/CVE-2026-45224
https://github.com/openclaw/crabbox/pull/65
https://github.com/openclaw/crabbox/commit/6b07193fb5670aac315ea47215651c67b8127868
https://github.com/openclaw/crabbox/releases/tag/v0.9.0
https://www.vulncheck.com/advisories/crabbox-path-traversal-via-islo-provider-workspace-resolution
https://github.com/advisories/GHSA-3cjv-h753-qf7h