What is the CVSS score of CVE-2026-53755?

CVE-2026-53755 has a CVSS 3.1 base score of 8.6 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N.

Which versions of Crawl4AI are affected by CVE-2026-53755?

Crawl4AI's Docker API server (versions 0.8.8 and earlier) contains an unauthenticated server-side request forgery vulnerability with publicly available exploit code, allowing remote attackers to…. A patch is available.

How to fix or mitigate CVE-2026-53755?

24 hours: Identify all instances of Crawl4AI 0.8.8 if available; otherwise implement firewall rules blocking 169.254.169.254 at the container and host level. 30 days: Rotate AWS credentials and IAM keys that could have been exposed; disable IMDSv1 across your AWS account; deploy network policies to restrict Crawl4AI destination URLs.

Crawl4AI CVE-2026-53755

HIGH

Server-Side Request Forgery (SSRF) (CWE-918)

2026-06-16 https://github.com/unclecode/crawl4ai

GHSA-6qhc-x826-342c

Google SSRF Docker

8.6

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.6 HIGH

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

vuln.today AI

8.6 HIGH

Docker API is unauthenticated by default (PR:N), network-reachable with a trivial JSON payload (AV:N/AC:L), and SSRF reads cross the container's security authority into cloud metadata (S:C, C:H, I/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 16, 2026 - 23:19 vuln.today

Analysis Generated

Jun 16, 2026 - 23:19 vuln.today

CVE Published

Jun 16, 2026 - 21:02 github-advisory

HIGH 8.6

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

122 pypi packages depend on crawl4ai (115 direct, 10 indirect)

Ecosystem-wide dependent count for version 0.8.9.

DescriptionGitHub Advisory

Summary

The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and cloud-metadata endpoints, while using a perfectly valid crawl URL. The Docker API is unauthenticated by default.

Affected paths

/crawl, /crawl/stream, and /crawl/job accept a browser_config (and crawler_config). The following all feed Chromium's egress and were unchecked:

browser_config.proxy_config.server
browser_config.proxy (deprecated field)
crawler_config.proxy_config.server
--proxy-server / --proxy-pac-url / --proxy-bypass-list / --host-resolver-rules flags in browser_config.extra_args

Attack

An attacker sends /crawl with a benign, validation-passing URL but a proxy_config.server pointing at an internal IP. Chromium routes all requests through that proxy. For plain-HTTP targets the proxy receives the full request and can return any content, which is then returned verbatim in the crawl result (results[0].html / cleaned_html / markdown). In a real deployment the proxy would be an attacker-controlled server pointing at cloud metadata (e.g. AWS IMDSv1 at 169.254.169.254) to retrieve IAM credential tokens.

Impact

Unauthenticated server-side request forgery to internal services and cloud-metadata endpoints, with the response returned to the attacker.

Fix

Every proxy destination is validated with the same global-routability check used for crawl URLs (reject any resolved address that is not is_global, including IPv6 transition forms) before the browser is constructed; proxy/DNS-redirecting flags are stripped from extra_args. A legitimate public proxy still works. Honors CRAWL4AI_ALLOW_INTERNAL_URLS.

Workarounds

Upgrade to the patched version (0.8.9).
Enable authentication (CRAWL4AI_API_TOKEN).
Restrict the container's outbound network access (egress firewall / no metadata route).

Credits

Geo (geo-chen) - reported the proxy_config.server SSRF with a clear PoC.

Articles & Coverage 1

News 5 New Docker Vulnerabilities - 1 Critical, 4 High Severity Jun 17, 2026

AnalysisAI

Server-side request forgery in Crawl4AI's Docker API server (versions <= 0.8.8) allows unauthenticated remote attackers to pivot Chromium's browser egress through an attacker-supplied proxy, reaching internal services and cloud-metadata endpoints such as AWS IMDSv1 at 169.254.169.254. The flaw exists because the SSRF destination check was applied only to the crawl target URL and not to the proxy address, while the Docker API is unauthenticated by default. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Discover exposed Crawl4AI Docker API

Delivery

POST /crawl with benign URL and malicious proxy_config.server

Exploit

Chromium routes request via attacker-specified internal IP

Execution

Internal service or IMDSv1 returns sensitive response

Persist

Response surfaced in results[0].html to attacker

Impact

Use stolen IAM credentials to pivot into cloud account

Access

Discover exposed Crawl4AI Docker API

Delivery

POST /crawl with benign URL and malicious proxy_config.server

Exploit

Chromium routes request via attacker-specified internal IP

Execution

Internal service or IMDSv1 returns sensitive response

Persist

Response surfaced in results[0].html to attacker

Impact

Use stolen IAM credentials to pivot into cloud account

Vulnerability AssessmentAI

Exploitation	The Crawl4AI Docker API server must be deployed and network-reachable by the attacker, with the default unauthenticated configuration (CRAWL4AI_API_TOKEN unset). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (8.6 High) aligns with the description: unauthenticated, network-reachable, low-complexity exploitation with a scope change because the impact (reading cloud metadata or internal HTTP services) crosses the security authority of the Docker container into the surrounding cloud-account boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker discovers an internet-reachable Crawl4AI Docker API and POSTs to /crawl with a benign public URL such as https://example.com but sets browser_config.proxy_config.server to http://169.254.169.254:80; Chromium routes the request through that 'proxy', the IMDS endpoint returns IAM role credentials, and the response body is surfaced verbatim in results[0].html. The reporter (geo-chen) supplied a clear PoC in the GHSA advisory, so weaponization effort is minimal.
Remediation	Vendor-released patch: upgrade crawl4ai to 0.8.9, which validates every proxy destination against the same is_global routability check used for crawl URLs (including IPv6 transition forms) and strips proxy/DNS-redirecting flags from browser_config.extra_args while still honoring CRAWL4AI_ALLOW_INTERNAL_URLS for intentional internal use; the advisory is https://github.com/unclecode/crawl4ai/security/advisories/GHSA-6qhc-x826-342c. … Detailed patch versions, workarounds, and compensating controls in full report.