CVE-2026-56261
9.2
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
Summary
Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, or cloud metadata endpoints (e.g. 169.254.169.254), causing the server to make requests to internal services and potentially expose cloud metadata.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Crawl4AI | Crawl4AI | 0 < 0.8.7 | affected |
| Crawl4AI | Crawl4AI | 0.8.7 | unaffected |
Weaknesses
- CWE-918: Server-Side Request Forgery (SSRF)
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg
- https://github.com/unclecode/crawl4ai
- https://www.vulncheck.com/advisories/crawl4ai-server-side-request-forgery-via-webhook-urls
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.