SSRF Vulnerability in Crawl4AI Web Crawler by Unclecode
CVE-2026-53754

7.5HIGH

Key Information:

Vendor: Unclecode
Status: Crawl4ai
Vendor: CVE Published:; 23 June 2026

What is CVE-2026-53754?

Crawl4AI, an open-source web crawler, has a vulnerability in its Docker API server's SSRF protection. Before version 0.8.8, the implemented IPv4/IPv6 CIDR blocklist did not account for various address families, enabling attackers to exploit this by encoding internal IPv4 addresses within an IPv6 format or leveraging the unspecified IPv6 address. This oversight allows unauthorized access to internal services and cloud metadata endpoints, such as 169.254.169.254, since the Docker API runs with unauthenticated access by default. The vulnerability has been addressed in version 0.8.8.

Affected Version(s)

crawl4ai < 0.8.8

References

https://github.com/unclecode/crawl4ai/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 23, 2026
Vulnerability Reserved
Jun 10, 2026

CVE-2026-53754 Data

JSON