Server-Side Request Forgery in Crawl4AI Docker API by UncleCode
CVE-2026-56261
9.2CRITICAL
What is CVE-2026-56261?
Crawl4AI versions prior to 0.8.7 are vulnerable to a server-side request forgery (SSRF) attack through its Docker API endpoints, specifically in the /crawl/job and /llm/job paths. These endpoints allow users to submit webhook URLs without proper validation, enabling attackers to craft malicious payloads that redirect requests to private or internal IP addresses, Docker networks, or cloud metadata endpoints. This vulnerability can lead to exposure of sensitive internal services and cloud metadata, posing significant risks to the targeted environment.
Affected Version(s)
Crawl4AI 0 < 0.8.7
Crawl4AI 0.8.7
