CVE Catalog

CVE-2026-56266

HighCVSS 8.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

21th percentile - higher than 21% of all known CVEs

Summary

Crawl4AI before version 0.8.7 contains a server-side request forgery (SSRF) vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.

Risk Assessment

The risk involves unauthorized access to internal network resources, such as internal services and cloud metadata endpoints, potentially leading to sensitive data leakage or further infrastructure compromise.

Recommendation

It is recommended to immediately upgrade Crawl4AI to version 0.8.7 or later and implement additional URL validation and network restrictions for SSRF-vulnerable endpoints.

Original NVD description (English source)

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS