CVE-2026-56266

HIGH 8.6

Crawl4AI - Server-Side Request Forgery via Direct Crawl Endpoints

CVSS Score

8.6

EPSS Score

0.0%

EPSS Percentile

0th

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reach internal services and cloud metadata endpoints.

CWE	CWE-918
Vendor	crawl4ai
Product	crawl4ai
Published	Jun 22, 2026

Stay Ahead of the Next One

Get instant alerts for crawl4ai crawl4ai

Be the first to know when new high vulnerabilities affecting crawl4ai crawl4ai are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Crawl4AI / Crawl4AI

0 < 0.8.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/unclecode/crawl4ai/security/advisories/GHSA-365w-hqf6-vxfg github.com: https://github.com/unclecode/crawl4ai vulncheck.com: https://www.vulncheck.com/advisories/crawl4ai-server-side-request-forgery-via-direct-crawl-endpoints