Server-Side Request Forgery in Crawl4AI Docker API by UncleCode
CVE-2026-56261

9.2CRITICAL

Key Information:

Vendor

Crawl4ai

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-56261?

Crawl4AI versions prior to 0.8.7 are vulnerable to a server-side request forgery (SSRF) attack through its Docker API endpoints, specifically in the /crawl/job and /llm/job paths. These endpoints allow users to submit webhook URLs without proper validation, enabling attackers to craft malicious payloads that redirect requests to private or internal IP addresses, Docker networks, or cloud metadata endpoints. This vulnerability can lead to exposure of sensitive internal services and cloud metadata, posing significant risks to the targeted environment.

Affected Version(s)

Crawl4AI 0 < 0.8.7

Crawl4AI 0.8.7

References

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.