SSRF Vulnerability in Crawl4AI Web Crawler by Unclecode
CVE-2026-57573
8.6HIGH
What is CVE-2026-57573?
Crawl4AI, an open-source LLM-friendly web crawler, has a vulnerability in its Docker API server that allows unauthorized remote clients to access internal addresses. The vulnerability exists due to the lack of destination validation on the streaming path of the /crawl endpoint up to version 0.9.0. By exploiting this flaw, an attacker can send POST requests with specific configurations, leading the server to fetch and stream responses from internal, private, or link-local addresses without proper checks, posing a significant risk to the exposed network.
Affected Version(s)
crawl4ai < 0.9.0
