Threat Advisory

Crawl4AI Vulnerabilities Permit Unauthenticated Remote Code Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Crawl4AI Python package (pip/crawl4ai) affecting versions up to 0.8.8. The issues include two server‑side request forgery (SSRF) flaws that allow unauthenticated callers to route traffic through attacker‑controlled proxies or IPv6 transition addresses to reach internal services and cloud‑metadata endpoints, and a critical remote code execution (RCE) vulnerability caused by an unsafe AST sandbox bypass. Because the Docker API is unauthenticated by default, an attacker can exploit these weaknesses to steal credentials, read or modify internal data, and execute arbitrary commands within the host environment, posing severe operational and compliance risks.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the Crawl4AI Python package (pip/crawl4ai) affecting versions up to 0.8.8. The issues include two server‑side request forgery (SSRF) flaws that allow unauthenticated callers to route traffic through attacker‑controlled proxies or IPv6 transition addresses to reach internal services and cloud‑metadata endpoints, and a critical remote code execution (RCE) vulnerability caused by an unsafe AST sandbox bypass. Because the Docker API is unauthenticated by default, an attacker can exploit these weaknesses to steal credentials, read or modify internal data, and execute arbitrary commands within the host environment, posing severe operational and compliance risks.[emaillocker id="1283"]

  • CVE-2026-53755 with a CVSS score of 8.6 – An unauthenticated request to the /crawl endpoint can supply a proxy_config.server pointing at an internal IP; Chromium routes all traffic through this proxy, allowing the attacker to retrieve internal services or cloud‑metadata responses that are returned verbatim in the crawl result.
  • CVE-2026-53754 with a CVSS score of 7.5 – By encoding internal IPv4 addresses inside IPv6 transition forms (e.g., NAT64, 6to4, v4‑mapped), an attacker can bypass the SSRF filter on crawl and webhook URLs, causing the Docker server to fetch internal network resources such as metadata endpoints without authentication.
  • CVE-2026-53753 with a CVSS score of 9.8 – A crafted extraction schema sent to POST /crawl exploits the AST sandbox by walking the generator frame chain to access __import__, enabling arbitrary code execution inside the Docker container without any authentication.

These vulnerabilities collectively expose the service to immediate exploitation, allowing attackers to access sensitive internal resources, exfiltrate cloud credentials, and execute arbitrary commands on the host. If left unaddressed, organizations risk data breaches, service disruption, and potential regulatory penalties, underscoring the need for urgent attention.

RECOMMENDATION:

  • We recommend you to update crawl4ai to version 0.8.9 or 0.8.8 or 0.8.7.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-6qhc-x826-342c
https://github.com/advisories/GHSA-4qqr-vv2q-cmr5
https://github.com/advisories/GHSA-qxjp-w3pj-48m7

[/emaillocker]
crossmenu