CVE-2026-56265 | Crawl4AI before 0.8.7 contains an authentication bypass vuln… | CVSS 9.8 CRITICAL

Description

Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected functionality.

Metadata

CVE ID: CVE-2026-56265
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-20 01:42 UTC
Published: 2026-06-21 13:26 UTC
Last updated: 2026-06-21 13:26 UTC
Primary CWE: CWE-798
Use of Hard-coded Credentials
Vendor / Product: Crawl4AI / Crawl4AI
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products (1)

Vendor	Product	Platform	Versions
Crawl4AI	Crawl4AI	—	0 < 0.8.7, 0.8.7

Weakness (CWE)

CWE	Source	Description
CWE-798	cna	Use of Hard-coded Credentials

CVSS scores (2)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3	CRITICAL	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (3)

https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg
https://github.com/unclecode/crawl4ai https://github.com/unclecode/crawl4ai
VulnCheck Advisory: Crawl4AI - Authentication Bypass via Hardcoded JWT Signing Key https://www.vulncheck.com/advisories/crawl4ai-authentication-bypass-via-hardcoded-jwt-signing-key