CVE-2026-53754 | Crawl4AI is an open-source LLM friendly web crawler & scrape… | CVSS 7.5 HIGH

Description

Crawl4AI is an open-source LLM friendly web crawler & scraper. Prior to 0.8.8, the Docker API server's SSRF protection (validate_webhook_url / validate_url_destination in deploy/docker/utils.py) used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata endpoints (e.g. 169.254.169.254) despite the filter by encoding an internal IPv4 address inside an IPv6 transition form, or by using the IPv6 unspecified address. Because the Docker API is unauthenticated by default (jwt_enabled: false), no credentials are required. This vulnerability is fixed in 0.8.8.

Metadata

CVE ID: CVE-2026-53754
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-06-10 17:48 UTC
Published: 2026-06-23 18:16 UTC
Last updated: 2026-06-23 18:54 UTC
Primary CWE: CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product: unclecode / crawl4ai
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
unclecode	crawl4ai	—	< 0.8.8

Weakness (CWE)

CWE	Source	Description
CWE-918	cna	CWE-918: Server-Side Request Forgery (SSRF)

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (1)

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-4qqr-vv2q-cmr5 https://github.com/unclecode/crawl4ai/security/advisories/GHSA-4qqr-vv2q-cmr5