← Back
2026-06-22 21:4CVE-2026-56266VulnCheck
PUBLISHED5.2CWE-918

Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.

Problem type

Affected products

Crawl4AI

Crawl4AI

< 0.8.7 - AFFECTED

0.8.7 - UNAFFECTED

References

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg

vendor-advisory
https://github.com/unclecode/crawl4ai

https://github.com/unclecode/crawl4ai

product
VulnCheck Advisory: Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints

https://www.vulncheck.com/advisories/crawl4ai-server-side-request-forgery-via-direct-crawl-endpoints

third-party-advisory

GitHub Security Advisories

GHSA-365w-hqf6-vxfg

Crawl4AI: Multiple Docker API Vulnerabilities - File Write, SSRF, Auth Bypass, XSS, JS Execution

https://github.com/advisories/GHSA-365w-hqf6-vxfg

Summary

Multiple security vulnerabilities in the Crawl4AI Docker API server affecting endpoints for crawling, markdown/LLM extraction, screenshots, PDFs, webhooks, monitoring, JavaScript execution, and configuration.

Vulnerabilities

1. Arbitrary File Write via /screenshot and /pdf (CWE-22, CVSS 9.1)

The output_path parameter accepts arbitrary filesystem paths with no validation. An attacker can overwrite server files (DoS) or write to any appuser-writable location.

Fix: Added validate_output_path() restricting writes to CRAWL4AI_OUTPUT_DIR (/tmp/crawl4ai-outputs by default). Added Pydantic field_validator rejecting .. traversal sequences.

2. SSRF via Webhook URL (CWE-918, CVSS 8.6)

Webhook URLs in /crawl/job and /llm/job accept internal/private IPs with no validation, enabling Server-Side Request Forgery against cloud metadata endpoints (169.254.169.254), internal services, and Docker networks.

Fix: Added validate_webhook_url() with blocklist for RFC 1918, loopback, link-local, cloud metadata IPs and hostnames. Validation at both job submission and send time. Explicit follow_redirects=False.

3. Authentication Bypass on Monitor Endpoints (CWE-306, CVSS 6.5)

The monitor router was mounted without token_dep dependency, making all monitoring endpoints (including destructive ones like /monitor/actions/cleanup) accessible without authentication.

Fix: Added dependencies=[Depends(token_dep)] to monitor router. Added explicit token check on WebSocket /monitor/ws endpoint.

4. Stored XSS in Monitor Dashboard (CWE-79, CVSS 6.1)

URLs and error messages rendered in the monitor dashboard via innerHTML without escaping, enabling stored XSS via crafted crawl URLs.

Fix: Server-side html.escape() on URL and error storage. Client-side escapeHtml() wrapper on all innerHTML template injections.

5. Arbitrary JavaScript Execution via /execute_js (CWE-94, CVSS 8.1)

The /execute_js endpoint accepts and executes arbitrary JavaScript in the server's browser with --disable-web-security enabled, combining arbitrary JS execution with SSRF capability.

Fix: Disabled by default via CRAWL4AI_EXECUTE_JS_ENABLED env var. Added SSRF blocklist on destination URL. Removed --disable-web-security from default browser args.

6. Hardcoded JWT Secret Key (CWE-798, CVSS 9.8)

The JWT signing key defaults to "mysecret" in the public source code, allowing anyone to forge valid authentication tokens.

Fix: Removed default value. Added startup validation rejecting weak/short secrets. Auto-generates ephemeral key when JWT enabled but no key set.

7. SSRF via Direct Crawl Endpoints /crawl, /md, /llm (CWE-918, CVSS 8.6)

The primary crawl entry points (/crawl, /crawl/stream, /md, /llm) fetch arbitrary user-supplied URLs with no destination validation, enabling Server-Side Request Forgery against internal services, Docker networks, and cloud metadata endpoints (169.254.169.254). A blocklist that only inspects the literal hostname is additionally bypassable via IPv6-mapped IPv4 addresses (e.g. [::ffff:169.254.169.254], [::ffff:10.0.0.1]), which resolve to the blocked private/metadata ranges but evade a naive string check.

Fix: Added URL destination validation on all crawl/md/llm entry points, reusing the SSRF blocklist (RFC 1918, loopback, link-local, cloud-metadata IPs and hostnames). IPv6-mapped IPv4 addresses are normalized to their IPv4 form before the blocklist check, closing the mapping bypass. raw:// URLs are skipped. Validation applies at request entry, not only at fetch time.

Workarounds

  1. Upgrade to the patched version (recommended)
  2. Set CRAWL4AI_API_TOKEN to enable authentication
  3. Set a strong SECRET_KEY (min 32 chars) if using JWT
  4. Restrict network access to the Docker API

Credits

  • Jeongbean Jeon - file write, SSRF, monitor auth bypass, stored XSS
  • wulonchia - file write via output_path (independent report)
  • by111 (August829) - hardcoded JWT, eval in /config/dump, /execute_js, hook sandbox escape
  • secsys_codex - SSRF via /md, /crawl, /llm endpoints + IPv6-mapped IPv4 bypass (URL destination validation)
  • Velayutham Selvaraj (LinkedIn) - SSRF via missing host validation in validate_url_scheme (independent report)
  • IcySun & Yashon - SSRF, arbitrary file write, missing-auth-by-default, hook sandbox bypass via asyncio (independent report)
github.com

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-56266

github.com

https://github.com/unclecode/crawl4ai

vulncheck.com

https://www.vulncheck.com/advisories/crawl4ai-server-side-request-forgery-via-direct-crawl-endpoints

github.com

https://github.com/advisories/GHSA-365w-hqf6-vxfg

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-56266
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-56266",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-06-22T21:04:44.755Z",
    "dateReserved": "2026-06-20T01:42:20.615Z",
    "datePublished": "2026-06-22T21:04:44.755Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-06-22T21:04:44.755Z"
      },
      "datePublic": "2026-06-16T00:00:00.000Z",
      "title": "Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints",
      "descriptions": [
        {
          "lang": "en",
          "value": "Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints."
        }
      ],
      "affected": [
        {
          "vendor": "Crawl4AI",
          "product": "Crawl4AI",
          "defaultStatus": "unaffected",
          "versions": [
            {
              "version": "0",
              "status": "affected",
              "versionType": "semver",
              "lessThan": "0.8.7"
            },
            {
              "version": "0.8.7",
              "status": "unaffected",
              "versionType": "semver"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Server-Side Request Forgery (SSRF)",
              "cweId": "CWE-918",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg",
          "name": "https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg",
          "tags": [
            "vendor-advisory"
          ]
        },
        {
          "url": "https://github.com/unclecode/crawl4ai",
          "name": "https://github.com/unclecode/crawl4ai",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/crawl4ai-server-side-request-forgery-via-direct-crawl-endpoints",
          "name": "VulnCheck Advisory: Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "CHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 8.6,
            "baseSeverity": "HIGH"
          }
        }
      ]
    }
  }
}