Attack Chain

1. Attacker crafts a malicious .crabbox.yaml or crabbox.yaml file.
2. The malicious YAML file contains path traversal sequences (e.g., ../) within the workspace path definition.
3. The attacker places the crafted YAML file in a location accessible to the Crabbox application.
4. The Crabbox application processes the YAML file using the Islo provider.
5. The Islo provider’s workspace path resolution logic resolves the attacker-supplied path, failing to properly sanitize directory traversal sequences.
6. If sync.delete is enabled, the application executes rm -rf on the resolved (malicious) path, leading to arbitrary file deletion.
7. Subsequently, the application executes mkdir -p on the resolved path, potentially overwriting existing files and directories.
8. The attacker achieves arbitrary file deletion and overwrite, potentially leading to data loss or system compromise.

Impact

Successful exploitation of CVE-2026-45224 allows attackers to delete or overwrite arbitrary files and directories on the system where Crabbox is running. The severity of the impact depends on the privileges of the Crabbox process and the location of the files that are targeted. A successful attack could lead to data loss, denial of service, or in some circumstances, even remote code execution if critical system files are overwritten.

Recommendation

• Upgrade Crabbox to version 0.9.0 or later to patch CVE-2026-45224.
• As a workaround, disable the sync.delete option in Crabbox configurations to mitigate the file deletion aspect of the vulnerability.
• Implement the Sigma rule “Detect Crabbox Path Traversal Attempt via Malicious YAML” to detect suspicious .crabbox.yaml files containing path traversal sequences.
• Monitor file system events for rm -rf and mkdir -p commands executed by the Crabbox process, especially when the target paths contain directory traversal sequences, using the Sigma rule “Detect Suspicious rm -rf or mkdir -p with Path Traversal”.