Skip to main content

Crawl4AI EUVDEUVD-2026-38745

| CVE-2026-56262 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-06-24 VulnCheck GHSA-xrfj-6m49-wfmm
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable with no authentication (AV:N/PR:N/AC:L), no scope change, limited to monitoring state disruption with no confidentiality impact (C:N/I:L/A:L).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 24, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 24, 2026 - 12:21 vuln.today
Analysis Generated
Jun 24, 2026 - 12:21 vuln.today

DescriptionCVE.org

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability in the monitor router endpoints that allows unauthenticated attackers to access destructive operations. Remote attackers can invoke the /monitor/actions/cleanup endpoint and manipulate monitoring state without authentication, causing service disruption.

AnalysisAI

Authentication bypass in the Crawl4AI Docker API server before 0.8.7 exposes all monitor router endpoints - including the destructive /monitor/actions/cleanup action - to unauthenticated remote attackers due to missing token dependency injection on the monitor router. Any attacker with network access to the Docker API port can invoke cleanup operations and manipulate monitoring state, causing service disruption without credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Crawl4AI Docker API server port
Delivery
Send unauthenticated HTTP POST to /monitor/actions/cleanup
Exploit
Bypass absent authentication on monitor router
Execution
Trigger monitoring state reset
Impact
Disrupt active crawl service operations

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Crawl4AI Docker API server is running and its API port is reachable by the attacker - either directly via public internet exposure or through lateral movement from an adjacent network segment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N) correctly characterizes the attack as trivially reachable from the network with no conditions or interaction, but caps impact at limited integrity and availability disruption with no confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a Crawl4AI Docker API server sends a single unauthenticated HTTP POST to /monitor/actions/cleanup, immediately triggering a monitoring state reset without any credentials, tokens, or prior reconnaissance. This disrupts active crawl job visibility and can interfere with ongoing operations managed through the monitoring subsystem. …
Remediation Upgrade to Crawl4AI 0.8.7 or later via pip (pip install 'crawl4ai>=0.8.7'), which resolves this vulnerability by adding dependencies=[Depends(token_dep)] to the monitor router registration and adding explicit token validation on the /monitor/ws WebSocket endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-57572 CRITICAL
10.0 Jul 06

Remote code execution in Crawl4AI's Docker API server (versions prior to 0.9.0) lets unauthenticated attackers run arbit

CVE-2026-26216 CRITICAL
10.0 Feb 12

Remote code execution in Crawl4AI Docker API before 0.8.0 via hooks parameter. The /crawl endpoint accepts Python code i

CVE-2026-57571 CRITICAL
9.6 Jul 06

Arbitrary file write in Crawl4AI (the open-source LLM-friendly web crawler by unclecode) before version 0.9.0 lets a mal

CVE-2026-56265 CRITICAL
9.3 Jun 21

Authentication bypass in Crawl4AI Docker API server (versions prior to 0.8.7) allows remote unauthenticated attackers to

CVE-2026-56258 CRITICAL
9.2 Jun 23

Arbitrary file write in Crawl4AI Docker API server before 0.8.8 lets unauthenticated remote attackers escape the ALLOWED

CVE-2026-56264 CRITICAL
9.2 Jun 30

Arbitrary JavaScript execution in Crawl4AI's Docker API server (versions before 0.8.7) lets remote attackers submit code

CVE-2026-56261 CRITICAL
9.2 Jul 10

Server-side request forgery in Crawl4AI's Docker API server (versions before 0.8.7) allows remote unauthenticated attack

CVE-2026-56266 CRITICAL
9.2 Jun 22

Server-side request forgery in Crawl4AI before 0.8.7 allows unauthenticated remote attackers to coerce the server into f

CVE-2026-26217 CRITICAL
9.2 Feb 12

Arbitrary local file disclosure in Crawl4AI's Docker API (versions before 0.8.0) lets unauthenticated remote attackers r

CVE-2025-28197 CRITICAL
9.1 Apr 18

Crawl4AI <=0.4.247 is vulnerable to SSRF in /crawl4ai/async_dispatcher.py. Rated critical severity (CVSS 9.1), this vuln

CVE-2026-56260 HIGH
8.8 Jul 12

Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overw

CVE-2026-56259 HIGH
8.8 Jul 12

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attacker

Share

EUVD-2026-38745 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy