Back to overview

CVE-2026-56261

HIGH
8.6
CVSS 3.1
Description
Crawl4AI before 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the Docker API server's /crawl/job and /llm/job endpoints, which accept webhook URLs without destination validation. An attacker can supply webhook URLs pointing to private or internal IP ranges, Docker networks, or cloud metadata endpoints (e.g. 169.254.169.254), causing the server to make requests to internal services and potentially expose cloud metadata.

Metadata

CVE ID
CVE-2026-56261
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-19 21:56 UTC
Published
2026-07-10 13:57 UTC
Last updated
2026-07-10 14:58 UTC
Primary CWE
CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product
Crawl4AI / Crawl4AI
Sources
cve.org  ·  NVD

Severity & Metrics

8.6 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
Crawl4AI Crawl4AI 0 < 0.8.7, 0.8.7
Weakness (CWE)
CWESourceDescription
CWE-918 cna Server-Side Request Forgery (SSRF)
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.2 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N
8.6 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
References (3)
Back to overview