CVE-2026-26217
HIGH
GHSA-vx9w-5cx4-9796
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3Description
Crawl4AI versions prior to 0.8.0 contain a local file inclusion vulnerability in the Docker API deployment. The /execute_js, /screenshot, /pdf, and /html endpoints accept file:// URLs, allowing unauthenticated remote attackers to read arbitrary files from the server filesystem. An attacker can access sensitive files such as /etc/passwd, /etc/shadow, application configuration files, and environment variables via /proc/self/environ, potentially exposing credentials, API keys, and internal application structure.
Analysis
Crawl4AI versions before 0.8.0 allow unauthenticated remote attackers to read arbitrary files from the server through file:// URL handling in Docker API endpoints (/execute_js, /screenshot, /pdf, /html), enabling exposure of sensitive configuration files, credentials, and environment variables. The vulnerability affects Docker deployments and AI/ML applications using the affected library, with no patch currently available.
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running Crawl4AI and identify version numbers; immediately disable or isolate affected instances if upgrade is not immediately possible. Within 7 days: Upgrade all Crawl4AI deployments to version 0.8.0 or later, or implement compensating controls listed below. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today