Skip to main content

Crawl4AI CVE-2026-57571

| EUVDEUVD-2026-41934 CRITICAL
Path Traversal (CWE-22)
2026-07-06 GitHub_M
9.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
vuln.today AI
9.6 CRITICAL

Remote attacker-controlled content with low complexity and no victim auth (PR:N) but requires the victim to crawl it (UI:R); arbitrary write outside the intended dir changes scope (S:C) and yields RCE, so C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 22:02 EUVD
Analysis Generated
Jul 06, 2026 - 21:13 vuln.today

DescriptionCVE.org

Crawl4AI is an open-source LLM-friendly web crawler and scraper. Prior to 0.9.0, when the crawler saves a downloaded file, the destination filename was taken from attacker-influenced input and joined to the downloads directory with no confinement. A filename containing an absolute path or traversal escaped the downloads directory, giving an arbitrary file write with attacker-controlled contents; the HTTP crawler path uses the response Content-Disposition filename and the browser crawler path uses the download's suggested filename. Because the written bytes are attacker-controlled, this can escalate to remote code execution. This issue is fixed in version 0.9.0.

AnalysisAI

Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a malicious website or download control where crawled files land on disk, and because the file contents are also attacker-controlled this escalates to remote code execution. Both the HTTP crawler path (trusting the response Content-Disposition filename) and the browser crawler path (trusting the download's suggested filename) are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious site with crafted download
Delivery
Victim crawler fetches URL
Exploit
Content-Disposition/suggested filename carries traversal
Execution
Save escapes downloads directory
Persist
Write attacker bytes to sensitive path
Impact
Code executes as crawler user

Vulnerability AssessmentAI

Exploitation Exploitation requires that a Crawl4AI instance prior to 0.9.0 downloads and saves a file originating from attacker-controlled content - specifically the HTTP crawler path is triggered when the malicious server sets a crafted Content-Disposition filename (absolute path or ../ traversal), and the browser crawler path is triggered when a download's suggested filename is crafted; file-download handling must be exercised by the crawl. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are broadly consistent toward high priority but with one important caveat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker stands up (or compromises) a website that a target's Crawl4AI-based pipeline will crawl, and serves a file whose Content-Disposition header (HTTP path) or browser-suggested download name (browser path) contains a traversal/absolute path such as ../../../../home/app/.bashrc or a path into a Python site-packages module, with malicious contents. When the crawler downloads and saves the file, the bytes are written outside the downloads directory to an execution-relevant location, and code runs the next time that file is loaded or the process/user starts a shell. …
Remediation Vendor-released patch: upgrade to Crawl4AI 0.9.0, which fixes the unsafe filename handling (see advisory GHSA-2jq4-q6vv-4cp3 and commit 60886d1a0c52682e4c83a7cef9dfac417fff6bd2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Crawl4AI; immediately restrict crawler operations to whitelisted, trusted domains only; disable processing of untrusted sources. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57572 CRITICAL
10.0 Jul 06

Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbit

CVE-2026-26216 CRITICAL
10.0 Feb 12

Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code i

CVE-2026-56265 CRITICAL
9.3 Jun 21

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to

CVE-2026-56258 CRITICAL
9.2 Jun 23

Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED

CVE-2026-56264 CRITICAL
9.2 Jun 30

Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code

CVE-2026-56261 CRITICAL
9.2 Jul 10

Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attack

CVE-2026-56266 CRITICAL
9.2 Jun 22

Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into f

CVE-2026-26217 CRITICAL
9.2 Feb 12

Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers r

CVE-2025-28197 CRITICAL
9.1 Apr 18

Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. Rated critical severity (CVSS 9.1), this vuln

CVE-2026-56260 HIGH
8.8 Jul 12

Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overw

CVE-2026-56259 HIGH
8.8 Jul 12

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attacker

CVE-2026-57573 HIGH
8.6 Jul 06

Server-side request forgery in Crawl4AI's Docker API server (versions prior to 0.9.0) lets a remote unauthenticated clie

Share

CVE-2026-57571 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy