Skip to main content

Crawl4AI EUVDEUVD-2026-38432

| CVE-2026-56258 CRITICAL
Path Traversal (CWE-22)
2026-06-23 VulnCheck GHSA-wx2c-3cp2-f6qw
9.2
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Unauthenticated network endpoint (AV:N/PR:N), but exploitation requires winning a TOCTOU race and symlink staging (AC:H); arbitrary write enables full host compromise when runtime user can write executables.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 23, 2026 - 14:17 EUVD
Source Code Evidence Fetched
Jun 23, 2026 - 13:05 vuln.today
Analysis Generated
Jun 23, 2026 - 13:05 vuln.today

DescriptionCVE.org

Crawl4AI before 0.8.8 contains an arbitrary file write vulnerability in the screenshot and PDF endpoints that allows unauthenticated attackers to write files outside the intended directory via symlink and time-of-check-time-of-use (TOCTOU) attacks on the output_path parameter. Remote attackers can exploit insufficient path validation and symlink following to achieve arbitrary file write and potential code execution on systems where the runtime user has write access to executable or cron locations.

AnalysisAI

Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED_OUTPUT_DIR via symlinks and a TOCTOU race on the output_path parameter of the /screenshot and /pdf endpoints, potentially escalating to code execution where the runtime user can write to executable or cron paths. No public exploit identified at time of analysis, but the API is unauthenticated by default and the GHSA confirms the issue was found in an internal security audit.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Discover exposed Crawl4AI Docker API
Delivery
Pre-stage symlink inside ALLOWED_OUTPUT_DIR
Exploit
POST /screenshot with crafted output_path
Install
Win TOCTOU race against validate_output_path
C2
Write payload to cron or executable path
Execute
Wait for scheduler or invocation
Impact
Execute code as container user

Vulnerability AssessmentAI

Exploitation Target must be a Crawl4AI Docker API server <= 0.8.7 exposing the POST /screenshot or POST /pdf endpoints with the default unauthenticated configuration (CRAWL4AI_API_TOKEN unset). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.0 of 9.2 (AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H) reflects an unauthenticated network-reachable write with high attack complexity and a present attack requirement - the attacker must win a TOCTOU race or pre-position a symlink, which is non-trivial but feasible against a long-lived container. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable to an unauthenticated Crawl4AI Docker server sends repeated POST /screenshot or POST /pdf requests with an output_path that points through a directory the attacker can race or pre-symlink, swapping in a symlink targeting /etc/cron.d/ or a binary the runtime user can overwrite. Winning the TOCTOU race between validate_output_path and the open() call writes attacker-controlled image/PDF bytes outside ALLOWED_OUTPUT_DIR; on hosts where the container runs as a user with write access to executable or cron paths, this yields code execution at the next scheduler tick. …
Remediation Vendor-released patch: upgrade pip package crawl4ai to 0.8.8 or later, which resolves the real path of the output_path parent, re-checks containment after symlink resolution, and writes with O_NOFOLLOW (see PR https://github.com/unclecode/crawl4ai/pull/3 and advisory https://github.com/unclecode/crawl4ai/security/advisories/GHSA-7cx2-g3h9-382p). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all deployments of Crawl4AI versions prior to 0.8.8 to identify instances exposed on untrusted networks; determine if the /screenshot and /pdf endpoints can be safely disabled. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57572 CRITICAL
10.0 Jul 06

Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbit

CVE-2026-26216 CRITICAL
10.0 Feb 12

Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code i

CVE-2026-57571 CRITICAL
9.6 Jul 06

Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a mal

CVE-2026-56265 CRITICAL
9.3 Jun 21

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to

CVE-2026-56264 CRITICAL
9.2 Jun 30

Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code

CVE-2026-56261 CRITICAL
9.2 Jul 10

Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attack

CVE-2026-56266 CRITICAL
9.2 Jun 22

Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into f

CVE-2026-26217 CRITICAL
9.2 Feb 12

Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers r

CVE-2025-28197 CRITICAL
9.1 Apr 18

Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. Rated critical severity (CVSS 9.1), this vuln

CVE-2026-56260 HIGH
8.8 Jul 12

Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overw

CVE-2026-56259 HIGH
8.8 Jul 12

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attacker

CVE-2026-57573 HIGH
8.6 Jul 06

Server-side request forgery in Crawl4AI's Docker API server (versions prior to 0.9.0) lets a remote unauthenticated clie

Share

EUVD-2026-38432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy