The vulnerability CVE-2026-8634 affects openclaw's Crabbox before version 0.12.0. It arises from an environment variable exposure issue where attackers controlling a malicious or compromised repository can exploit overly permissive environment variable allowlisting in the local Crabbox configuration. This allows serialization of sensitive environment variables into remote command execution contexts, leading to exposure of secrets such as API tokens, cloud credentials, and broker tokens. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and has a critical CVSS 4.0 score of 9.3. There is no vendor advisory or patch available at this time, and the product is not a cloud service, so remediation depends on vendor updates or configuration changes.

Successful exploitation can lead to exposure of sensitive credentials and secrets from the local environment to the remote command environment. This can compromise API tokens, cloud credentials, and broker tokens, potentially allowing unauthorized access to cloud services, APIs, or message brokers. The vulnerability is critical due to the ease of remote exploitation without authentication and the high impact of credential exposure. No known exploits in the wild have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or temporary mitigation is currently available, users should avoid using vulnerable versions of Crabbox or restrict repository access to trusted parties only. Review and tighten environment variable allowlisting configurations to minimize exposure of sensitive variables in remote command executions. Monitor vendor channels for updates or patches addressing this vulnerability.