SSRF Vulnerability in Crawl4AI Web Crawler by Unclecode
CVE-2026-57573

8.6HIGH

Key Information:

Vendor

Unclecode

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-57573?

Crawl4AI, an open-source LLM-friendly web crawler, has a vulnerability in its Docker API server that allows unauthorized remote clients to access internal addresses. The vulnerability exists due to the lack of destination validation on the streaming path of the /crawl endpoint up to version 0.9.0. By exploiting this flaw, an attacker can send POST requests with specific configurations, leading the server to fetch and stream responses from internal, private, or link-local addresses without proper checks, posing a significant risk to the exposed network.

Affected Version(s)

crawl4ai < 0.9.0

References

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.