Remote Code Execution Vulnerability in Crawl4AI Docker API Deployment
CVE-2026-26216

10CRITICAL

Key Information:

Vendor

Unclecode

Status
Crawl4ai
Vendor
CVE Published:
12 February 2026

What is CVE-2026-26216?

Crawl4AI versions earlier than 0.8.0 include a security flaw in the Docker API deployment that allows for remote code execution. Specifically, the /crawl endpoint permits a hooks parameter that executes supplied Python code through the built-in exec() function. The presence of import in the list of allowed built-ins poses a significant threat, enabling unauthenticated remote attackers to import arbitrary Python modules and run system commands. This vulnerability can lead to severe implications, including complete server takeover, arbitrary command execution, unauthorized file access, sensitive data leakage, and potential lateral movement within the internal network infrastructure.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Crawl4AI 0 < 0.8.0

References

https://github.com/unclecode/crawl4ai/security/advisories...
vendor-advisorypatch
https://github.com/unclecode/crawl4ai/blob/main/docs/blog...
release-notes
https://www.vulncheck.com/advisories/crawl4ai-docker-api-...
third-party-advisory

CVSS V4

Score:
10
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Neo by ProjectDiscovery (https://neo.projectdiscovery.io)
JSON
.