Authentication Bypass Vulnerability in Crawl4AI by UncleCode
CVE-2026-56265

9.3CRITICAL

Key Information:

Vendor

Crawl4ai

Status
Crawl4ai
Vendor
CVE Published:
21 June 2026

What is CVE-2026-56265?

Crawl4AI versions prior to 0.8.7 are vulnerable to an authentication bypass due to a hardcoded default JWT signing key within the Docker API server. This flaw allows attackers with knowledge of the default key to forge valid authentication tokens, thus bypassing the authentication mechanisms in place. Once exploited, this vulnerability enables unauthorized access to all protected functions and sensitive data within the application, posing a significant risk to user and system security.

Affected Version(s)

Crawl4AI 0 < 0.8.7

Crawl4AI 0.8.7

References

https://github.com/unclecode/crawl4ai/security/advisories...
vendor-advisory
https://github.com/unclecode/crawl4ai
product
https://www.vulncheck.com/advisories/crawl4ai-authenticat...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.